cross-site scripting attack?

my brother's server has had some problems and his sysadmin buddy keeps insisting it's a 'cross site scripting attack' that somehow preys on fopen(). His apache error log is full of errors like this:

Code:

---

[Thu Jan 18 09:30:24 2007] [error] [client 221.6.253.34] File does not exist: E:/conduit/site/mb
 [Thu Jan 18 09:30:36 2007] [error] [client 68.192.221.84] File does not exist: E:/conduit/site/cgi-bin, referer: http://www.anonymitytest.com/cgi-bin/jenv.cgi
 [Thu Jan 18 09:30:41 2007] [error] [client 68.192.221.84] File does not exist: E:/conduit/site/cgi-bin, referer: http://www.anonymitytest.com/cgi-bin/jenv.cgi
 [Thu Jan 18 09:30:54 2007] [error] [client 211.55.160.235] File does not exist: E:/conduit/site/f1.member.ird.yahoo.com, referer: http://edit.korea.yahoo.com

---

We have no idea who www.anonymitytest.com is.

The apache access log is also full of domains that we do not recognize. How can it be that our apache log has domains that we haven't mapped to it?

Code:

---

209.190.9.18 - - [18/Jan/2007:08:44:23 -0800] "CONNECT 61.155.13.170:25 HTTP/1.0" 200 29273
 85.185.227.2 - - [18/Jan/2007:08:44:32 -0800] "GET http://www.sparklehits.com/directory/Personal+Finance/aff/1379 HTTP/1.0" 404 3487
209.11.243.66 - - [18/Jan/2007:08:43:25 -0800] "CONNECT 85.93.75.5:25 HTTP/1.0" 200 29273
 61.16.156.107 - - [18/Jan/2007:08:43:28 -0800] "GET http://www.jadesearch.net/index.php?uid=171&REQ=Massage+Chair HTTP/1.0" 404 3511

---

Quote:

---

209.11.243.66 - - [18/Jan/2007:08:43:25 -0800] "CONNECT 85.93.75.5:25 HTTP/1.0" 200 29273

---

Looks like your website is being used as a proxy (via CONNECT). You need to use LimitExcept for each directory served (http://httpd.apache.org/docs/2.2/mod...l#limitexcept).

The first ones look like you might have a vulnerable CGI script that someone is trying to abuse to access files on the local file system.