Loading ...
Sorry, an error occurred while loading the content.

Re: Unexpected Domains in Webalizer / Apache Logs (looks bad...)

Expand Messages
  • enventa2000
    Ooops! You seem to have an open proxy server. Probably you opened it by accident. After answering you I found your webalizer stats. Four of your ten top exit
    Message 1 of 5 , Apr 16, 2004
    • 0 Attachment
      Ooops! You seem to have an open proxy server. Probably you opened it
      by accident.

      After answering you I found your webalizer stats. Four of your ten top
      exit pages are proxy checkers... That looks bad. I really hope you
      have an anonimity-related webpage. Either that or your server is being
      used as a proxy by someone to hide their trails while they surf the

      The samair.ru one checks specifically wether your proxy is

      Yikes! thousands of icq logins? That looks like zombie computers
      connecting to icq to receive orders from the person who programmed the
      virus or worms that converted those computers into zombies.

      Ouch! You may have been added to a public open relay list in some
      website or some dark icq site. People is using your server to do who
      knows what.

      That looks baaaad. I would be worried. There are lots of connections
      to japanese online RPG games, some are in some oriental language,
      japanese or chinese, and they have downloaded some movies of 20 and
      120 megas from personal pages (look at "urls by kilobytes". Chats,
      game pages... ugh.

      You have also lots of 502 "bad gateway" responses... not normal and
      not good.

      Post a pair of lines of your apache logfile, saying what the visitor
      is supossed to be visiting in them, just to discard problems in the
      log format. Also post the LogFormat and CustomLog lines on your httpd.
      conf files, to check that they are correct (you have read the post I
      made a few days ago about logfile format, right?).

      Hum, have you seen any sudden and strange rise in the amount of
      traffic? Do you have links to those pages you mention? (doesn't seem
      so). I checked a few and they seem quite strange pages, either empty
      pages, or secure connections to :443, the port for secure http, or
      connexions to online rpg games webpages, or proxy checker pages!. They
      surely don't have links to your page. Maybe they are using your apache
      as a proxy??? One of the links (http://hpcgi1.nifty
      com/trino/ProxyJ/prxjdg.cgi) is an checker of your anonimity, as if
      someone was checking that their browser was not leaving traces on the
      Internet. You have 15303 hits to that! Probably I'm saying sillyness
      or perhaps your server is being used as a proxy.

      To check it, execute this in your logfiles directory:
      grep access_log* -e \"CONNECT
      This should discover proxy attempts on your server. You should see
      some lines like:

      (...) "CONNECT ip_or_domain:perhaps_a_port HTTP/1.0" 405 (...)

      The number 405 means "method not allowed". If you see a different
      number... well... it depends on the number. Just post it here. You may
      see attempts to Those are probes and are quite usual,
      1-2 per week. "1337" is a joke and means "elite" (literally, "I am an
      elite hacker"). If one of those probes gets trought then you are an
      open proxy, and hackers and spammers will screw you.

      Look at your search strings list. Some searchs are for illegal things.
      That is not very reassuring. What about pulling the plug on your
      experimental server and swithching to "normal" apache with default
      configuration for a while? Analyse only the logs generated by the
      "normal" apache to see if the weirdnesses disappear...

      And, for god's sake, post some CONNECT lines from your logs. I want to
      see them so I can know what happens when proying is succesful just in
      case it happens to me!

      --- In webalizer@yahoogroups.com, "zlogic" <zlogic@d...> wrote:
      > I am a Linux newbie - so excuse me if this question seems simplistic
      > although I believe it to be a problem.
      > I have been reviewing my Apache logs and for the last few weeks I
      > have seen some unusual traffic in those logs. I am running Webalizer
      > on those logs to produce usage graphs. In the section of Webalizer
      > that shows "Top x of xx Total URLs" I see URLs that have nothing to
      > do with my domain. In fact the Webablize default is to show the top
      > 30 and my domain pages are no where to be seen. I see top domain is
      > log icq com with 593,000 hits! The other domains listed are all
      > foreign to me as well.
      > This server is just a test/development server that I test code on at
      > my house. It is attached to the Internet via a cable modem and is
      > (supposed to be at least) behind a firewall.
      > What can cause these log entries? Am I somehow on the Internet in a
      > configuration that I shouldn't be? Please - any advise would be most
      > appreciated.
      > Here is a graphic showing what I am seeing:
      > http://www.salug.org/~michaeld/WebAlizer.jpg
      > thanks,
      > Michael
    • enventa2000
      If CONNECT is rejected, you ought to see: access_log: - - [20/Feb/2004:21:14:35 +0100] CONNECT HTTP/1.1 400 338
      Message 2 of 5 , Apr 16, 2004
      • 0 Attachment
        If CONNECT is rejected, you ought to see:

        access_log: - - [20/Feb/2004:21:14:35 +0100] "CONNECT HTTP/1.1" 400 338
        access_log: - - [21/Feb/2004:14:20:34 +0100] "CONNECT HTTP/1.0" 405 297

        You see?, code 400 for HTTP/1.1 and code 405 for HTTP/1.0 This means
        that you server rejects proxying attempts.

        Good luck with your problem. I just saw that they were using your
        server to download zoofilia videos :P
      Your message has been successfully submitted and would be delivered to recipients shortly.