RE: Weird message in my apache error log

To: debian-security@lists.debian.org
Subject: RE: Weird message in my apache error log
From: "Josep Serrano" <mylists@montblanc.homeip.net>
Date: Wed, 1 Feb 2006 20:29:26 +0100 (CET)
Message-id: <[🔎] 4297.192.168.0.97.1138822166.squirrel@montblanc.homeip.net>
In-reply-to: <[🔎] 004e01c62735$96e24900$1e02a8c0@daviddell>
References: <[🔎] 20633.192.165.213.18.1138791181.squirrel@montblanc.homeip.net> <[🔎] 004e01c62735$96e24900$1e02a8c0@daviddell>

We have a match. See:

66.232.140.73 - - [31/Jan/2006:07:29:58 +0100] "GET http://xxxx/prxjdg.cgi?ja
HTTP/1.0" 404 331 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Where the http address maps to an apparently compromised server where these people
have installed some kind of proxy (proxy judge ?)


> I've seen this type of thing with PHP; I was going to say something but I
> figured I would wait since you didn't mention it.  Can you correlate the
> time/date/ip with the request from access.log?  It might give you more
> information.  I can say, that we get attacked regularly on Sarge and we're a
> relatively high volume site with the similar specs, and I've not seen
> anything like this as a standard hack - my experience is that this is most
> often caused by not filtering/validating forms, global PHP variables, or PHP
> scripting errors.  I am very curious to know what's going on.

Reply to:

References:
- RE: Weird message in my apache error log
  - From: "Josep Serrano" <mylists@montblanc.homeip.net>
- RE: Weird message in my apache error log
  - From: "David Johnson" <djohnson@jsatech.com>

Prev by Date: Re: getting to www servers from inside where they have an Internal IP
Next by Date: Re: forget
Previous by thread: RE: Weird message in my apache error log
Next by thread: Re: getting to www servers from inside where they have an Internal IP
Index(es):
- Date
- Thread