RE: strange http get requests in apache access logs

["Henry Troup" <HenryT () watchfire com>]

> > On 10/13/06, rowland onobrauche <rowland.onobrauche () legendplc com
> > Im getting logs such as
>
> > "GET
> > http://www.escorts-etc.com/cgi-bin/ftop100/rankem.cgi?id=gagvault
> > HTTP/1.0" 200 147 " http://www.gagvault.com/linkspage.html";
> > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
> > In some of my httpd access logs, even though this type of site is
> > not existant on the server. Anyone seen this before??


Some mis-configured Apache servers will act as an open proxy; that appears to be what this request is.  Given that it's 
logged as a 200 OK, I'd say that you have that!

Since it looks like a hit counter - "rankem.cgi" - someone is using your bandwidth to pad their click rates.

Better check your configurations!

Henry Troup
Watchfire Corporation 

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------