Weird Log Entries and

[st34ever]

Hello...

Long time lurker, first time poster. Pardon if this is in the wrong forum.

I have reported this to my server provider, but I wanted to bring it up here and see what you all thought it was, or if you've had similar issues. They haven't fixed it yet.

I've been developing a new php based website, and each page is around 2k, if that.
Starting on the 13th of January, my hits per day went from 500 at the most, to almost 46000. Everyday after that my hits per day have been floating between 10000 and 30000. I've been floating at around 300mb perday of data transfer since this started. I checked my webalizer stats, and I noticed this under the Top 30 URLs. All of the urls are formatted like this...

Top 30 of 57782 Total URLs
# Hits KBytes URL
1 3340 1.46% 11824 1.40% /
2 2110 0.92% 7552 0.89% 64.18.5.10:25
3 1857 0.81% 6646 0.79% 65.54.252.99:25
4 1820 0.80% 6514 0.77% 64.18.4.10:25
5 1809 0.79% 6475 0.77% 64.4.50.50:25
6 1785 0.78% 6389 0.76% 64.4.50.99:25
7 1757 0.77% 6288 0.74% 65.54.166.99:25
8 1727 0.76% 6181 0.73% 65.54.252.230:25
9 1723 0.76% 6167 0.73% 65.54.166.230:25
10 1702 0.75% 6092 0.72% 65.54.190.7:25
11 1578 0.69% 5648 0.67% 65.54.190.50:25
12 1435 0.63% 5136 0.61% 64.4.50.239:25
13 1413 0.62% 5057 0.60% 65.54.253.99:25
14 1408 0.62% 5039 0.60% 65.54.167.5:25
15 1345 0.59% 4814 0.57% 64.4.50.179:25
16 1324 0.58% 4739 0.56% 65.54.167.230:25
17 1276 0.56% 4567 0.54% 65.54.190.230:25
18 1233 0.54% 2352 0.28% /farscapeover.gif
19 1232 0.54% 4409 0.52% 65.54.253.230:25
20 1207 0.53% 4320 0.51% 65.54.190.179:25
21 1053 0.46% 3769 0.45% 64.18.7.10:25
22 774 0.34% 2770 0.33% 64.18.6.10:25
23 620 0.27% 2219 0.26% 216.168.230.137:25
24 596 0.26% 2133 0.25% 207.44.208.4:25
25 588 0.26% 2105 0.25% 209.124.203.76:25
26 557 0.24% 1994 0.24% 216.219.254.203:25
27 553 0.24% 1979 0.23% 209.124.203.79:25
28 544 0.24% 1947 0.23% 208.45.133.107:25
29 543 0.24% 1943 0.23% 209.124.203.47:25
30 524 0.23% 1875 0.22% 209.124.203.46:25

Normall those stats would be the most requested files on my server and supposedly I have these IP's with a connection to port 25 on my server. Also notice that there are 57782 total URLs.

Here's a snippet of my latest visitors log, i've left the IP's in.

Host: 82.80.252.152 **This is who is connecting to my server. The IP changes every few hours**

209.217.36.7:25 <---**These are what they are asking for, and the http code 200 means it went through (I think).**
Http Code: 200 Date: Jan 21 21:57:46 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

208.49.24.14:25
Http Code: 200 Date: Jan 21 21:58:08 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

193.110.232.68:25
Http Code: 200 Date: Jan 21 21:59:49 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

62.134.61.33:25
Http Code: 200 Date: Jan 21 21:59:53 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -

At first, I thought someone had exploited a php page that had the mail() function in it, but after deleting ALL of my test .php pages and .html pages on my ENTIRE site, it is still going on. All that's left on the server is a few pictures. I've also changes all my mail passwords.

Any ideas?

Cheers.

[st34ever]

Sorry bout the topic title...I forgot I didn't finish entering it...:/

**edited this in**

This also appears every 7 minutes before the ones above...

Host: 64.235.248.242

200
Http Code: "-" Date: Jan 22 00:54:24 Http Version: 3665 Size in Bytes: "-"
Referer:
Agent:

[XPGOD]

Ok, so they are connecting through port 25, what emails are redirecting?

I ask that because Microsoft Corp. Inc. out of Redmond, WA is who a large majority of those IP's bounce back to.

Your #2 spot belongs to Postini Inc, in Los Angeles, CA. 64.18.5.10 or should I say a Server in LA. Their HQ is in Redwood City, CA. at 510 Veterens Blvd.

They non-the-less are a Email Security Services Company. Please make sure you are not having your email scanned or what not through them on things like Spam, or Viruses. Or that your hoster is not doing this. This looks like something they more than you may be in to.

65.54.252.99
64.4.50.50
64.4.50.99
65.54.166.99
I'm not going any more or my CTRL+C and V will break but those above IP's....all HOTMAIL.

So this looks like you are indeed pushing your hotmail...please confirm

[st34ever]

I have notified the server provider of the problem, but haven't heard of anything back yet.

I did have a .php page with the mail() function in it for user registration, but I'm not aware of any vunerabilities that arose from using it. I did have data filtering in place, and these requests were still being made after I deleted all the files.

Other then that, all the requests are made through http, and I have nothing in my logs concerning sent emails. There have been no bounce back messages either.

[XPGOD]

Well, without knowing the full extent of what you used the page for, and or who "signed" up, it would be difficult to say why or how this is being there.

I know that bots tend to stroll through a page x26 multiple connections, but these are all on port 25 so.... we know that SMTP is infact involved.

If it were me, I'd contact some people, get some info going, and or put up a packetsniffer, and send that data in.

[st34ever]

Well...

While I never found out the cause of the problem, I did do a mod_rewrite with some help and it seemed to stop what was going on for now.

[bballad]

What os are you running on the server? make sure that there isn't a mail server running, or if there is turn it off my guess is that you are setup as an open relay and some spammers where bouncing off of you

[st34ever]

Finally figured this out, with NO help from my server provider, but someone did know what was up and let me know...

They were connecting using the CONNECT method.

82.80.252.179 - - [19/Jan/2005:03:53:17 -0600] "CONNECT 207.176.130.80:25 HTTP/1.0" 200 3665 "-" "-"
64.69.40.192 - - [19/Jan/2005:03:53:18 -0600] "CONNECT 208.179.93.160:25 HTTP/1.0" 200 3665 "-" "-"
203.98.164.134 - - [19/Jan/2005:03:53:21 -0600] "CONNECT 38.113.1.61:25 HTTP/1.0" 200 3665 "-" "-"

Here are some URL's that explain what was going on.

http://archives.neohapsis.com/archi...02-11/0137.html

http://lists.debian.org/debian-isp/...6/msg00041.html

A simple httpd.conf edit and the problem was fixed. You can also deal with it via a mod_rewrite if you're using apache.

[slarty]

The problem you have, is that HTTP proxying appears to be enabled for anyone on your web server.

You MUST reconfigure it immediately to prevent it from continuing to be used as an open proxy.

They are probably spammers using your machine as a proxy to hide their original IP when sending junk.

If you're not using it, DISABLE all proxy features on your web server immediately. Otherwise, restrict them to valid accounts or IP addresses internal to your organisation.

Slarty