[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Funny Logs

Hello All

I wonder if anybody has seen something like this before.

We have a web server running apache which used to serve a dual 
purpose as a proxy cache server.  The proxy cache has long since 
been replaced by a box running squid.  

However instead of removing all of the "proxy" directives from the 
apache configuration we set it up to cascade the requests off the 
squid server.  This was done for the convenience of those users 
who still had the old proxy configuration in their browsers.  At this 
time in history there we never any access controls on the proxy 
function of the apache server.

As a result, until very recently we had an apace server which could 
be used as an anonymous proxy by anybody in the world.  In 
practise it did very little proxying at all.

Now quite recently we have been seeing logs like this: - - [21/Mar/2001:06:22:20 +0200] "GET http://banner.eroxchange.de/life/xcshow?sunkel.8
3 HTTP/1.0" 302 0 - - [21/Mar/2001:06:22:21 +0200] "GET http://www.cyberparadies.de/banner/bannerkl2.gif
 HTTP/1.0" 200 1753 - - [21/Mar/2001:06:23:26 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl
?page=01 HTTP/1.0" 302 0 - - [21/Mar/2001:06:23:27 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl
?page=01;checkforcookie HTTP/1.0" 301 0 - - [21/Mar/2001:06:23:28 +0200] "GET http://ads.adflight.com/ad_3p.asp?pid=2985&sid=2
929&asid=20376&ord=44 HTTP/1.0" 302 203 - - [21/Mar/2001:06:23:30 +0200] "GET http://servedby.advertising.com/site=22437/size=
468060/bnum=62255627/bins=1/rich=0 HTTP/1.0" 302 110 - - [21/Mar/2001:06:23:31 +0200] "GET http://ad.doubleclick.net/ad/N2225.Advertising.c
om/B36146;sz=468x60;ord=0985148412? HTTP/1.0" 302 0 - - [21/Mar/2001:06:23:34 +0200] "GET http://m.doubleclick.net/viewad/525454-aibo_prin
ts_3x.gif HTTP/1.0" 200 15255 - - [21/Mar/2001:06:24:44 +0200] "GET http://www.adbull.de/cgi-bin/cash4adverts.pl?ban
ner=sabi1999 HTTP/1.1" 302 249 - - [21/Mar/2001:06:24:48 +0200] "GET http://www.tipp24.de/jamany/partner_banner/tipp4
68x60sofa004a_neu.gif HTTP/1.1" 200 11670

So we have put access controls onto the apache "proxy" function to 
restrict usage to our own users.

However I wonder what the motivation is.  Has somebody come up 
with a scam for using the open proxy to up the "hit count" on 
banners adds hosted on his pages?

If so who would be most interested in these log files?



Ian Forbes ZSD
Office: +27 +21 683-1388  Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa

Reply to: