RE: [incidents] Bots hitting my web server?

From: Marco A. Zamora Cunningham (marco.zamoraat_private)
Date: Thu Aug 29 2002 - 10:06:26 PDT

  • Next message: David LeBlanc: "RE: Trojan? DDOS Bot?"

    Adam Bultman:
    > Apache 1.3.9, [...], with mod_proxy enabled.  As a result, 
    > they were exploited and used by someone/something to fetch
    > pages from remote servers. In many cases, ads (like 
    >, etc) but in most cases, porn. Of
    > course porn. 
    You're not seeing bots, you're seeing surfers in a misguided 
    attempt to keep their "anonymity," or to defeat proxies 
    that filter by domain/host in corporate/school environments
    (hence the porn site requests you see in your logs).
    Your server ended up in one or more open proxy lists after 
    being scanned for this vulnerability. To confirm this, just 
    look up your server's IP in Google.
    The best you can do is change the server's IP and not reuse it
    for some time (a year?) as a publicly-addressable server. This
    might not be possible if you have URLs with the IP address 
    floating around (which is always a bad idea), but it's your 
    only recourse now.
    Been there, done that...			Marco Zamora
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 11:33:44 PDT