Loading ...
Sorry, an error occurred while loading the content.

Unexpected Domains in Webalizer / Apache Logs

Expand Messages
  • zlogic
    I am a Linux newbie - so excuse me if this question seems simplistic although I believe it to be a problem. I have been reviewing my Apache logs and for the
    Message 1 of 5 , Apr 16, 2004
    • 0 Attachment
      I am a Linux newbie - so excuse me if this question seems simplistic
      although I believe it to be a problem.

      I have been reviewing my Apache logs and for the last few weeks I
      have seen some unusual traffic in those logs. I am running Webalizer
      on those logs to produce usage graphs. In the section of Webalizer
      that shows "Top x of xx Total URLs" I see URLs that have nothing to
      do with my domain. In fact the Webablize default is to show the top
      30 and my domain pages are no where to be seen. I see top domain is
      log icq com with 593,000 hits! The other domains listed are all
      foreign to me as well.

      This server is just a test/development server that I test code on at
      my house. It is attached to the Internet via a cable modem and is
      (supposed to be at least) behind a firewall.

      What can cause these log entries? Am I somehow on the Internet in a
      configuration that I shouldn't be? Please - any advise would be most
      appreciated.

      Here is a graphic showing what I am seeing:
      http://www.salug.org/~michaeld/WebAlizer.jpg

      thanks,
      Michael
    • Bradford L. Barrett
      Check the format of your log file. Those look like referrers. -- ... -- Bradford L. Barrett brad@mrunix.net A free electron in a sea of
      Message 2 of 5 , Apr 16, 2004
      • 0 Attachment
        Check the format of your log file. Those look like referrers.

        --

        On Fri, 16 Apr 2004, zlogic wrote:

        > I am a Linux newbie - so excuse me if this question seems simplistic
        > although I believe it to be a problem.
        >
        > I have been reviewing my Apache logs and for the last few weeks I
        > have seen some unusual traffic in those logs. I am running Webalizer
        > on those logs to produce usage graphs. In the section of Webalizer
        > that shows "Top x of xx Total URLs" I see URLs that have nothing to
        > do with my domain. In fact the Webablize default is to show the top
        > 30 and my domain pages are no where to be seen. I see top domain is
        > log icq com with 593,000 hits! The other domains listed are all
        > foreign to me as well.
        >
        > This server is just a test/development server that I test code on at
        > my house. It is attached to the Internet via a cable modem and is
        > (supposed to be at least) behind a firewall.
        >
        > What can cause these log entries? Am I somehow on the Internet in a
        > configuration that I shouldn't be? Please - any advise would be most
        > appreciated.
        >
        > Here is a graphic showing what I am seeing:
        > http://www.salug.org/~michaeld/WebAlizer.jpg
        >
        > thanks,
        > Michael
        >
        >
        >
        >
        >
        > Webalizer homepage: http://www.webalizer.org
        > Webalizer for NT: http://www.medasys-lille.com/webalizer/
        >
        >
        > ttp://www.webalizer.org
        > Webalizer for NT: http://www.medasys-lille.com/webalizer/
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        --
        Bradford L. Barrett brad@...
        A free electron in a sea of neutrons DoD#1750 KD4NAW

        The only thing Micro$oft has done for society, is make people
        believe that computers are inherently unreliable.
      • zlogic
        I could accept that. Here are a few lines from my access.log file: 65.49.140.136 - - [11/Apr/2004:17:56:38 -0500] GET
        Message 3 of 5 , Apr 16, 2004
        • 0 Attachment
          I could accept that.

          Here are a few lines from my access.log file:
          65.49.140.136 - - [11/Apr/2004:17:56:38 -0500] "GET
          http://worldsat.mytopsitelist.com/jump.php?
          cmd=in&list_id=worldsat&site_id=dk HTTP/1.0" 302 0 "-" "Mozilla/3.0
          (compatible)"
          65.49.140.136 - - [11/Apr/2004:17:56:38 -0500] "GET
          http://worldsat.mytopsitelist.com/jump.php?
          cmd=in&list_id=worldsat&site_id=dk HTTP/1.0" 302 0 "-" "Mozilla/3.0
          (compatible)"

          I did not expect to see this type of entry in the access.log file. I
          also have an incredible amount of traffic.

          Here is a link to the full webalizer file:
          http://www.salug.org/~michaeld/weba.htm

          --- In webalizer@yahoogroups.com, "Bradford L. Barrett" <brad@m...>
          wrote:
          >
          > Check the format of your log file. Those look like referrers.
          >
          > --
          >
          > On Fri, 16 Apr 2004, zlogic wrote:
          >
          > > I am a Linux newbie - so excuse me if this question seems
          simplistic
          > > although I believe it to be a problem.
          > >
          > > I have been reviewing my Apache logs and for the last few weeks I
          > > have seen some unusual traffic in those logs. I am running
          Webalizer
          > > on those logs to produce usage graphs. In the section of Webalizer
          > > that shows "Top x of xx Total URLs" I see URLs that have nothing
          to
          > > do with my domain. In fact the Webablize default is to show the
          top
          > > 30 and my domain pages are no where to be seen. I see top domain
          is
          > > log icq com with 593,000 hits! The other domains listed are all
          > > foreign to me as well.
          > >
          > > This server is just a test/development server that I test code on
          at
          > > my house. It is attached to the Internet via a cable modem and is
          > > (supposed to be at least) behind a firewall.
          > >
          > > What can cause these log entries? Am I somehow on the Internet in
          a
          > > configuration that I shouldn't be? Please - any advise would be
          most
          > > appreciated.
          > >
          > > Here is a graphic showing what I am seeing:
          > > http://www.salug.org/~michaeld/WebAlizer.jpg
          > >
          > > thanks,
          > > Michael
          > >
          > >
          > >
          > >
          > >
          > > Webalizer homepage: http://www.webalizer.org
          > > Webalizer for NT: http://www.medasys-lille.com/webalizer/
          > >
          > >
          > > ttp://www.webalizer.org
          > > Webalizer for NT: http://www.medasys-lille.com/webalizer/
          > >
          > >
          > >
          > > Yahoo! Groups Links
          > >
          > >
          > >
          > >
          > >
          > --
          > Bradford L. Barrett brad@m...
          > A free electron in a sea of neutrons DoD#1750 KD4NAW
          >
          > The only thing Micro$oft has done for society, is make people
          > believe that computers are inherently unreliable.
        • enventa2000
          Ooops! You seem to have an open proxy server. Probably you opened it by accident. After answering you I found your webalizer stats. Four of your ten top exit
          Message 4 of 5 , Apr 16, 2004
          • 0 Attachment
            Ooops! You seem to have an open proxy server. Probably you opened it
            by accident.


            After answering you I found your webalizer stats. Four of your ten top
            exit pages are proxy checkers... That looks bad. I really hope you
            have an anonimity-related webpage. Either that or your server is being
            used as a proxy by someone to hide their trails while they surf the
            web....
            http://hpcgi1.nifty.com/trino/ProxyJ/prxjdg.cgi
            http://www.samair.ru/proxy/proxychecker/results.htm
            http://www.glocksoft.net/cgi-bin/jenv.cgi
            http://www2.dokidoki.ne.jp/tomocrus/cgi-bin/check/prxjdg.cgi

            The samair.ru one checks specifically wether your proxy is
            transparent...


            Yikes! thousands of icq logins? That looks like zombie computers
            connecting to icq to receive orders from the person who programmed the
            virus or worms that converted those computers into zombies.

            Ouch! You may have been added to a public open relay list in some
            website or some dark icq site. People is using your server to do who
            knows what.

            That looks baaaad. I would be worried. There are lots of connections
            to japanese online RPG games, some are in some oriental language,
            japanese or chinese, and they have downloaded some movies of 20 and
            120 megas from personal pages (look at "urls by kilobytes". Chats,
            game pages... ugh.

            You have also lots of 502 "bad gateway" responses... not normal and
            not good.


            Post a pair of lines of your apache logfile, saying what the visitor
            is supossed to be visiting in them, just to discard problems in the
            log format. Also post the LogFormat and CustomLog lines on your httpd.
            conf files, to check that they are correct (you have read the post I
            made a few days ago about logfile format, right?).



            Hum, have you seen any sudden and strange rise in the amount of
            traffic? Do you have links to those pages you mention? (doesn't seem
            so). I checked a few and they seem quite strange pages, either empty
            pages, or secure connections to :443, the port for secure http, or
            connexions to online rpg games webpages, or proxy checker pages!. They
            surely don't have links to your page. Maybe they are using your apache
            as a proxy??? One of the links (http://hpcgi1.nifty
            com/trino/ProxyJ/prxjdg.cgi) is an checker of your anonimity, as if
            someone was checking that their browser was not leaving traces on the
            Internet. You have 15303 hits to that! Probably I'm saying sillyness
            or perhaps your server is being used as a proxy.



            To check it, execute this in your logfiles directory:
            grep access_log* -e \"CONNECT
            This should discover proxy attempts on your server. You should see
            some lines like:

            (...) "CONNECT ip_or_domain:perhaps_a_port HTTP/1.0" 405 (...)

            The number 405 means "method not allowed". If you see a different
            number... well... it depends on the number. Just post it here. You may
            see attempts to 1.3.3.7:1337 Those are probes and are quite usual,
            1-2 per week. "1337" is a joke and means "elite" (literally, "I am an
            elite hacker"). If one of those probes gets trought then you are an
            open proxy, and hackers and spammers will screw you.


            Look at your search strings list. Some searchs are for illegal things.
            That is not very reassuring. What about pulling the plug on your
            experimental server and swithching to "normal" apache with default
            configuration for a while? Analyse only the logs generated by the
            "normal" apache to see if the weirdnesses disappear...

            And, for god's sake, post some CONNECT lines from your logs. I want to
            see them so I can know what happens when proying is succesful just in
            case it happens to me!



            --- In webalizer@yahoogroups.com, "zlogic" <zlogic@d...> wrote:
            > I am a Linux newbie - so excuse me if this question seems simplistic
            > although I believe it to be a problem.
            >
            > I have been reviewing my Apache logs and for the last few weeks I
            > have seen some unusual traffic in those logs. I am running Webalizer
            > on those logs to produce usage graphs. In the section of Webalizer
            > that shows "Top x of xx Total URLs" I see URLs that have nothing to
            > do with my domain. In fact the Webablize default is to show the top
            > 30 and my domain pages are no where to be seen. I see top domain is
            > log icq com with 593,000 hits! The other domains listed are all
            > foreign to me as well.
            >
            > This server is just a test/development server that I test code on at
            > my house. It is attached to the Internet via a cable modem and is
            > (supposed to be at least) behind a firewall.
            >
            > What can cause these log entries? Am I somehow on the Internet in a
            > configuration that I shouldn't be? Please - any advise would be most
            > appreciated.
            >
            > Here is a graphic showing what I am seeing:
            > http://www.salug.org/~michaeld/WebAlizer.jpg
            >
            > thanks,
            > Michael
          • enventa2000
            If CONNECT is rejected, you ought to see: access_log:194.149.73.250 - - [20/Feb/2004:21:14:35 +0100] CONNECT 194.149.73.250:2048/ HTTP/1.1 400 338
            Message 5 of 5 , Apr 16, 2004
            • 0 Attachment
              If CONNECT is rejected, you ought to see:

              access_log:194.149.73.250 - - [20/Feb/2004:21:14:35 +0100] "CONNECT
              194.149.73.250:2048/ HTTP/1.1" 400 338
              access_log:193.133.199.115 - - [21/Feb/2004:14:20:34 +0100] "CONNECT
              1.3.3.7:1337 HTTP/1.0" 405 297


              You see?, code 400 for HTTP/1.1 and code 405 for HTTP/1.0 This means
              that you server rejects proxying attempts.


              Good luck with your problem. I just saw that they were using your
              server to download zoofilia videos :P
            Your message has been successfully submitted and would be delivered to recipients shortly.