Hello All I wonder if anybody has seen something like this before.
We have a web server running apache which used to serve a dual purpose as a proxy cache server. The proxy cache has long since been replaced by a box running squid. However instead of removing all of the "proxy" directives from the apache configuration we set it up to cascade the requests off the squid server. This was done for the convenience of those users who still had the old proxy configuration in their browsers. At this time in history there we never any access controls on the proxy function of the apache server. As a result, until very recently we had an apace server which could be used as an anonymous proxy by anybody in the world. In practise it did very little proxying at all. Now quite recently we have been seeing logs like this: 62.226.60.13 - - [21/Mar/2001:06:22:20 +0200] "GET http://banner.eroxchange.de/life/xcshow?sunkel.8 3 HTTP/1.0" 302 0 62.226.60.13 - - [21/Mar/2001:06:22:21 +0200] "GET http://www.cyberparadies.de/banner/bannerkl2.gif HTTP/1.0" 200 1753 64.26.134.29 - - [21/Mar/2001:06:23:26 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl ?page=01 HTTP/1.0" 302 0 64.26.134.29 - - [21/Mar/2001:06:23:27 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl ?page=01;checkforcookie HTTP/1.0" 301 0 64.26.134.29 - - [21/Mar/2001:06:23:28 +0200] "GET http://ads.adflight.com/ad_3p.asp?pid=2985&sid=2 929&asid=20376&ord=44 HTTP/1.0" 302 203 64.26.134.29 - - [21/Mar/2001:06:23:30 +0200] "GET http://servedby.advertising.com/site=22437/size= 468060/bnum=62255627/bins=1/rich=0 HTTP/1.0" 302 110 64.26.134.29 - - [21/Mar/2001:06:23:31 +0200] "GET http://ad.doubleclick.net/ad/N2225.Advertising.c om/B36146;sz=468x60;ord=0985148412? HTTP/1.0" 302 0 64.26.134.29 - - [21/Mar/2001:06:23:34 +0200] "GET http://m.doubleclick.net/viewad/525454-aibo_prin ts_3x.gif HTTP/1.0" 200 15255 62.226.22.71 - - [21/Mar/2001:06:24:44 +0200] "GET http://www.adbull.de/cgi-bin/cash4adverts.pl?ban ner=sabi1999 HTTP/1.1" 302 249 62.226.22.71 - - [21/Mar/2001:06:24:48 +0200] "GET http://www.tipp24.de/jamany/partner_banner/tipp4 68x60sofa004a_neu.gif HTTP/1.1" 200 11670 So we have put access controls onto the apache "proxy" function to restrict usage to our own users. However I wonder what the motivation is. Has somebody come up with a scam for using the open proxy to up the "hit count" on banners adds hosted on his pages? If so who would be most interested in these log files? Cheers Ian --------------------------------------------------------------------- Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa ---------------------------------------------------------------------