RE: [incidents] Bots hitting my web server?

["Marco A. Zamora Cunningham" <marco.zamora () cbbanorte com mx>]

Adam Bultman:
> Apache 1.3.9, [...], with mod_proxy enabled.  As a result, 
> they were exploited and used by someone/something to fetch
> pages from remote servers. In many cases, ads (like 
> service.bfast.com, etc) but in most cases, porn. Of
> course porn. 

You're not seeing bots, you're seeing surfers in a misguided 
attempt to keep their "anonymity," or to defeat proxies 
that filter by domain/host in corporate/school environments
(hence the porn site requests you see in your logs).

Your server ended up in one or more open proxy lists after 
being scanned for this vulnerability. To confirm this, just 
look up your server's IP in Google.

The best you can do is change the server's IP and not reuse it
for some time (a year?) as a publicly-addressable server. This
might not be possible if you have URLs with the IP address 
floating around (which is always a bad idea), but it's your 
only recourse now.

Been there, done that...                        Marco Zamora

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com