[users@httpd] Possible attack?

[Gene <li...@Bomgardner.net>]

Hi All:

I've been getting a lot of hits on my server lately that look like they 
might be some kind of exploit. Could someone be probing to see if my 
server will proxy? Could it BE proxying without my knowledge? The resukt 
code of 200 is disturbing.

The log entries look like these (and there are lots of them):

Thanks for any tips or help...
Gene

81.215.250.249 - - [24/Nov/2005:08:44:36 -0600] "GET / HTTP/1.1" 200 190 
"http://foto-porno-amatoriale.com" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.0; .NET CLR 1.0.2914)"
219.146.214.57 - - [24/Nov/2005:08:44:43 -0600] "GET / HTTP/1.1" 200 190 
"http://hosting-siti-adulti.com" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.0; .NET CLR 1.0.2914)"
218.244.31.242 - - [24/Nov/2005:08:45:29 -0600] "GET / HTTP/1.0" 200 190 
"http://foto-porno-amatoriale.com" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.0; .NET CLR 1.0.2914)"
85.98.104.235 - - [24/Nov/2005:08:45:33 -0600] "GET / HTTP/1.1" 200 190 
"http://puttane-grandi-tette.com" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.0; .NET CLR 1.0.2914)"
85.104.130.61 - - [24/Nov/2005:08:46:23 -0600] "GET / HTTP/1.1" 200 190 
"http://amatoriali.biz" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 
5.0; .NET CLR 1.0.2914)"


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible attack?

[Joshua Slive <js...@gmail.com>]

On 11/26/05, Gene <li...@bomgardner.net> wrote:

> Sorry about that. This is an area that I'm still learning about (one of
> many). Learning question: Why referrer spam? What benefit could anyone
> derive from it? Is there anything on the web about it? (I'll google around.)

Googling for "referer spam" and "google page rank" will fill you in. 
(Note that "referer" is deliberately misspelled because of an error in
the http specification.)  In short, google ranks pages in part by how
many links to them it can find on the web.  Since many people post
summaries of their referer logs on their websites, accessing a site
with a fake referer can create a link from a websites statistics page
to the attackers page, thereby increasing its rank in google.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible attack?

[Gene <li...@Bomgardner.net>]

Joshua Slive wrote:

>On 11/24/05, Gene <li...@bomgardner.net> wrote:
>  
>
>>Hi All:
>>
>>I've been getting a lot of hits on my server lately that look like they
>>might be some kind of exploit. Could someone be probing to see if my
>>server will proxy? Could it BE proxying without my knowledge? The resukt
>>code of 200 is disturbing.
>>
>>The log entries look like these (and there are lots of them):
>>    
>>
>
>The only thing unusual about those entries are the referer.  The
>request is a perfectly normal GET of your home page.  That leads me to
>believe that these are simply referer-spam, trying to pollute your
>logs (perhaps posted online) and hence get links that will be counted
>by google.  If so, you just did them a huge favor by posting their
>sites to this list, where your message will be picked up by a dozen or
>so web archives and boost their google ranks.  Oh well.  Other than
>that, I'd simply ignore them and make sure that you don't post
>anything from your referer logs on your website.
>
>  
>
Sorry about that. This is an area that I'm still learning about (one of 
many). Learning question: Why referrer spam? What benefit could anyone 
derive from it? Is there anything on the web about it? (I'll google around.)

Thanks
Gene


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible attack?

[Joshua Slive <js...@gmail.com>]

On 11/24/05, Gene <li...@bomgardner.net> wrote:
> Hi All:
>
> I've been getting a lot of hits on my server lately that look like they
> might be some kind of exploit. Could someone be probing to see if my
> server will proxy? Could it BE proxying without my knowledge? The resukt
> code of 200 is disturbing.
>
> The log entries look like these (and there are lots of them):

The only thing unusual about those entries are the referer.  The
request is a perfectly normal GET of your home page.  That leads me to
believe that these are simply referer-spam, trying to pollute your
logs (perhaps posted online) and hence get links that will be counted
by google.  If so, you just did them a huge favor by posting their
sites to this list, where your message will be picked up by a dozen or
so web archives and boost their google ranks.  Oh well.  Other than
that, I'd simply ignore them and make sure that you don't post
anything from your referer logs on your website.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org