Funny Logs
Hello All
I wonder if anybody has seen something like this before.
We have a web server running apache which used to serve a dual
purpose as a proxy cache server. The proxy cache has long since
been replaced by a box running squid.
However instead of removing all of the "proxy" directives from the
apache configuration we set it up to cascade the requests off the
squid server. This was done for the convenience of those users
who still had the old proxy configuration in their browsers. At this
time in history there we never any access controls on the proxy
function of the apache server.
As a result, until very recently we had an apace server which could
be used as an anonymous proxy by anybody in the world. In
practise it did very little proxying at all.
Now quite recently we have been seeing logs like this:
62.226.60.13 - - [21/Mar/2001:06:22:20 +0200] "GET http://banner.eroxchange.de/life/xcshow?sunkel.8
3 HTTP/1.0" 302 0
62.226.60.13 - - [21/Mar/2001:06:22:21 +0200] "GET http://www.cyberparadies.de/banner/bannerkl2.gif
HTTP/1.0" 200 1753
64.26.134.29 - - [21/Mar/2001:06:23:26 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl
?page=01 HTTP/1.0" 302 0
64.26.134.29 - - [21/Mar/2001:06:23:27 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl
?page=01;checkforcookie HTTP/1.0" 301 0
64.26.134.29 - - [21/Mar/2001:06:23:28 +0200] "GET http://ads.adflight.com/ad_3p.asp?pid=2985&sid=2
929&asid=20376&ord=44 HTTP/1.0" 302 203
64.26.134.29 - - [21/Mar/2001:06:23:30 +0200] "GET http://servedby.advertising.com/site=22437/size=
468060/bnum=62255627/bins=1/rich=0 HTTP/1.0" 302 110
64.26.134.29 - - [21/Mar/2001:06:23:31 +0200] "GET http://ad.doubleclick.net/ad/N2225.Advertising.c
om/B36146;sz=468x60;ord=0985148412? HTTP/1.0" 302 0
64.26.134.29 - - [21/Mar/2001:06:23:34 +0200] "GET http://m.doubleclick.net/viewad/525454-aibo_prin
ts_3x.gif HTTP/1.0" 200 15255
62.226.22.71 - - [21/Mar/2001:06:24:44 +0200] "GET http://www.adbull.de/cgi-bin/cash4adverts.pl?ban
ner=sabi1999 HTTP/1.1" 302 249
62.226.22.71 - - [21/Mar/2001:06:24:48 +0200] "GET http://www.tipp24.de/jamany/partner_banner/tipp4
68x60sofa004a_neu.gif HTTP/1.1" 200 11670
So we have put access controls onto the apache "proxy" function to
restrict usage to our own users.
However I wonder what the motivation is. Has somebody come up
with a scam for using the open proxy to up the "hit count" on
banners adds hosted on his pages?
If so who would be most interested in these log files?
Cheers
Ian
---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388 Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------
Reply to: