Weird Log Entries and
Results 1 to 9 of 9

Thread: Weird Log Entries and

  1. #1
    Junior Member
    Join Date
    Jan 2003
    Posts
    5

    Weird Log Entries and

    Hello...

    Long time lurker, first time poster. Pardon if this is in the wrong forum.

    I have reported this to my server provider, but I wanted to bring it up here and see what you all thought it was, or if you've had similar issues. They haven't fixed it yet.

    I've been developing a new php based website, and each page is around 2k, if that.
    Starting on the 13th of January, my hits per day went from 500 at the most, to almost 46000. Everyday after that my hits per day have been floating between 10000 and 30000. I've been floating at around 300mb perday of data transfer since this started. I checked my webalizer stats, and I noticed this under the Top 30 URLs. All of the urls are formatted like this...
    Top 30 of 57782 Total URLs
    # Hits KBytes URL
    1 3340 1.46% 11824 1.40% /
    2 2110 0.92% 7552 0.89% 64.18.5.10:25
    3 1857 0.81% 6646 0.79% 65.54.252.99:25
    4 1820 0.80% 6514 0.77% 64.18.4.10:25
    5 1809 0.79% 6475 0.77% 64.4.50.50:25
    6 1785 0.78% 6389 0.76% 64.4.50.99:25
    7 1757 0.77% 6288 0.74% 65.54.166.99:25
    8 1727 0.76% 6181 0.73% 65.54.252.230:25
    9 1723 0.76% 6167 0.73% 65.54.166.230:25
    10 1702 0.75% 6092 0.72% 65.54.190.7:25
    11 1578 0.69% 5648 0.67% 65.54.190.50:25
    12 1435 0.63% 5136 0.61% 64.4.50.239:25
    13 1413 0.62% 5057 0.60% 65.54.253.99:25
    14 1408 0.62% 5039 0.60% 65.54.167.5:25
    15 1345 0.59% 4814 0.57% 64.4.50.179:25
    16 1324 0.58% 4739 0.56% 65.54.167.230:25
    17 1276 0.56% 4567 0.54% 65.54.190.230:25
    18 1233 0.54% 2352 0.28% /farscapeover.gif
    19 1232 0.54% 4409 0.52% 65.54.253.230:25
    20 1207 0.53% 4320 0.51% 65.54.190.179:25
    21 1053 0.46% 3769 0.45% 64.18.7.10:25
    22 774 0.34% 2770 0.33% 64.18.6.10:25
    23 620 0.27% 2219 0.26% 216.168.230.137:25
    24 596 0.26% 2133 0.25% 207.44.208.4:25
    25 588 0.26% 2105 0.25% 209.124.203.76:25
    26 557 0.24% 1994 0.24% 216.219.254.203:25
    27 553 0.24% 1979 0.23% 209.124.203.79:25
    28 544 0.24% 1947 0.23% 208.45.133.107:25
    29 543 0.24% 1943 0.23% 209.124.203.47:25
    30 524 0.23% 1875 0.22% 209.124.203.46:25
    Normall those stats would be the most requested files on my server and supposedly I have these IP's with a connection to port 25 on my server. Also notice that there are 57782 total URLs.

    Here's a snippet of my latest visitors log, i've left the IP's in.

    Host: 82.80.252.152 **This is who is connecting to my server. The IP changes every few hours**

    209.217.36.7:25 <---**These are what they are asking for, and the http code 200 means it went through (I think).**
    Http Code: 200 Date: Jan 21 21:57:46 Http Version: HTTP/1.0 Size in Bytes: 3665
    Referer: -
    Agent: -
    |
    |
    |

    208.49.24.14:25
    Http Code: 200 Date: Jan 21 21:58:08 Http Version: HTTP/1.0 Size in Bytes: 3665
    Referer: -
    Agent: -
    |
    |
    |

    193.110.232.68:25
    Http Code: 200 Date: Jan 21 21:59:49 Http Version: HTTP/1.0 Size in Bytes: 3665
    Referer: -
    Agent: -
    |
    |
    |

    62.134.61.33:25
    Http Code: 200 Date: Jan 21 21:59:53 Http Version: HTTP/1.0 Size in Bytes: 3665
    Referer: -
    Agent: -
    At first, I thought someone had exploited a php page that had the mail() function in it, but after deleting ALL of my test .php pages and .html pages on my ENTIRE site, it is still going on. All that's left on the server is a few pictures. I've also changes all my mail passwords.

    Any ideas?

    Cheers.

  2. #2
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    Sorry bout the topic title...I forgot I didn't finish entering it...:/

    **edited this in**

    This also appears every 7 minutes before the ones above...

    Host: 64.235.248.242

    200
    Http Code: "-" Date: Jan 22 00:54:24 Http Version: 3665 Size in Bytes: "-"
    Referer:
    Agent:

  3. #3
    Junior Member XPGOD's Avatar
    Join Date
    Nov 2004
    Posts
    5
    Ok, so they are connecting through port 25, what emails are redirecting?

    I ask that because Microsoft Corp. Inc. out of Redmond, WA is who a large majority of those IP's bounce back to.

    Your #2 spot belongs to Postini Inc, in Los Angeles, CA. 64.18.5.10 or should I say a Server in LA. Their HQ is in Redwood City, CA. at 510 Veterens Blvd.

    They non-the-less are a Email Security Services Company. Please make sure you are not having your email scanned or what not through them on things like Spam, or Viruses. Or that your hoster is not doing this. This looks like something they more than you may be in to.

    65.54.252.99
    64.4.50.50
    64.4.50.99
    65.54.166.99
    I'm not going any more or my CTRL+C and V will break but those above IP's....all HOTMAIL.

    So this looks like you are indeed pushing your hotmail...please confirm

  4. #4
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    I have notified the server provider of the problem, but haven't heard of anything back yet.

    I did have a .php page with the mail() function in it for user registration, but I'm not aware of any vunerabilities that arose from using it. I did have data filtering in place, and these requests were still being made after I deleted all the files.

    Other then that, all the requests are made through http, and I have nothing in my logs concerning sent emails. There have been no bounce back messages either.

  5. #5
    Junior Member XPGOD's Avatar
    Join Date
    Nov 2004
    Posts
    5
    Well, without knowing the full extent of what you used the page for, and or who "signed" up, it would be difficult to say why or how this is being there.

    I know that bots tend to stroll through a page x26 multiple connections, but these are all on port 25 so.... we know that SMTP is infact involved.

    If it were me, I'd contact some people, get some info going, and or put up a packetsniffer, and send that data in.

  6. #6
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    Well...

    While I never found out the cause of the problem, I did do a mod_rewrite with some help and it seemed to stop what was going on for now.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    What os are you running on the server? make sure that there isn't a mail server running, or if there is turn it off my guess is that you are setup as an open relay and some spammers where bouncing off of you
    Who is more trustworthy then all of the gurus or Buddha’s?

  8. #8
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    Finally figured this out, with NO help from my server provider, but someone did know what was up and let me know...

    They were connecting using the CONNECT method.

    82.80.252.179 - - [19/Jan/2005:03:53:17 -0600] "CONNECT 207.176.130.80:25 HTTP/1.0" 200 3665 "-" "-"
    64.69.40.192 - - [19/Jan/2005:03:53:18 -0600] "CONNECT 208.179.93.160:25 HTTP/1.0" 200 3665 "-" "-"
    203.98.164.134 - - [19/Jan/2005:03:53:21 -0600] "CONNECT 38.113.1.61:25 HTTP/1.0" 200 3665 "-" "-"
    Here are some URL's that explain what was going on.

    http://archives.neohapsis.com/archi...02-11/0137.html

    http://lists.debian.org/debian-isp/...6/msg00041.html

    A simple httpd.conf edit and the problem was fixed. You can also deal with it via a mod_rewrite if you're using apache.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    The problem you have, is that HTTP proxying appears to be enabled for anyone on your web server.

    You MUST reconfigure it immediately to prevent it from continuing to be used as an open proxy.

    They are probably spammers using your machine as a proxy to hide their original IP when sending junk.

    If you're not using it, DISABLE all proxy features on your web server immediately. Otherwise, restrict them to valid accounts or IP addresses internal to your organisation.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •