Adam Bultman: > Apache 1.3.9, [...], with mod_proxy enabled. As a result, > they were exploited and used by someone/something to fetch > pages from remote servers. In many cases, ads (like > service.bfast.com, etc) but in most cases, porn. Of > course porn. You're not seeing bots, you're seeing surfers in a misguided attempt to keep their "anonymity," or to defeat proxies that filter by domain/host in corporate/school environments (hence the porn site requests you see in your logs). Your server ended up in one or more open proxy lists after being scanned for this vulnerability. To confirm this, just look up your server's IP in Google. The best you can do is change the server's IP and not reuse it for some time (a year?) as a publicly-addressable server. This might not be possible if you have URLs with the IP address floating around (which is always a bad idea), but it's your only recourse now. Been there, done that... Marco Zamora ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 11:33:44 PDT