Security Incidents mailing list archives
RE: [incidents] Bots hitting my web server?
From: "Marco A. Zamora Cunningham" <marco.zamora () cbbanorte com mx>
Date: Thu, 29 Aug 2002 12:06:26 -0500
Adam Bultman:
Apache 1.3.9, [...], with mod_proxy enabled. As a result, they were exploited and used by someone/something to fetch pages from remote servers. In many cases, ads (like service.bfast.com, etc) but in most cases, porn. Of course porn.
You're not seeing bots, you're seeing surfers in a misguided attempt to keep their "anonymity," or to defeat proxies that filter by domain/host in corporate/school environments (hence the porn site requests you see in your logs). Your server ended up in one or more open proxy lists after being scanned for this vulnerability. To confirm this, just look up your server's IP in Google. The best you can do is change the server's IP and not reuse it for some time (a year?) as a publicly-addressable server. This might not be possible if you have URLs with the IP address floating around (which is always a bad idea), but it's your only recourse now. Been there, done that... Marco Zamora ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: [incidents] Bots hitting my web server? Marco A. Zamora Cunningham (Aug 29)
- RE: [incidents] Bots hitting my web server? zcat (Aug 30)