getting tons of hits from these URLS

Discussion in 'OT Technology' started by Leb_CRX, Apr 2, 2004.

  1. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    so I am checking my linux box stats (using AWSTATS) and I notice I am getting bombarded with hits from these two links...listen under top 10 URLS people access (on whats suppose to be my server)

    http://shttp.msg.yahoo.com/notify
    http://http.chat.yahoo.com/notify

    what does this mean exactly? yes I am paranoid :hs:

    running Mandrake 9, apache2
     
  2. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Does your box share the same Public IP as you on your desktop? I mean it may just be someone trying to chat to you but the ports are forwarded incorrectly
     
  3. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,617
    Likes Received:
    39
    Location:
    Atlanta, GA
    Those are showing up as referers? Because you can't get hits "from" a website.

    Maybe when you send someone a link on YIM and they click it that is what apace logs as the referer. :dunno:
     
  4. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    good point, I just double checked my router settings and the only three ports open are 21, 22, 80. but see it's my apache log files (which to my understanding only log 80) is where I am showing all this, plus I dont have yahoo messenger installed on my machine, nor is DMZ or anything else enabled.


    66.36.240.82 - - [01/Apr/2004:07:21:49 -0500] "POST http://shttp.msg.yahoo.com/notify HTTP/1.0" 200 24 "-" "YahooBulkMessenger"
    66.36.240.82 - - [01/Apr/2004:07:21:51 -0500] "POST http://shttp.msg.yahoo.com/notify HTTP/1.0" 200 24 "-" "YahooBulkMessenger"
    66.36.240.82 - - [01/Apr/2004:07:21:52 -0500] "POST http://shttp.msg.yahoo.com/notify HTTP/1.0" 200 62 "-" "YahooBulkMessenger"
    66.36.240.82 - - [01/Apr/2004:07:21:53 -0500] "POST http://shttp.msg.yahoo.com/notify HTTP/1.0" 200 24 "-" "YahooBulkMessenger"

    one thing I did just notice is all my other requests are GET...what is post? :hs:
     
  5. Ximian

    Ximian New Member

    Joined:
    Mar 20, 2004
    Messages:
    1,860
    Likes Received:
    0
    Location:
    DCA
    Maybe someone is viewing your page from Yahoo Messenger? Unless it's a few thousand in a day, it shouldn't be too big of a problem.

    Can you share what they're trying to get?

    cat http-access.log | grep yahoo.com/notify

    Edit: Nevermind.

    Do you have the Apache proxy feature enabled or do you or somebody on your network run Yahoo Messenger?
     
  6. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    check it out yourself, I am not sure what you mean by referes exactly
    http://www.adaccache.com/stats.html (takes a min or two to load)

    ya but ten again the issue with port forward doesn't click in my head, if it's only suppose to log port 80, why would YIM be sending requests there? shouldn't it use a higher port #, and even then why to my box? :o

    Thanks for the replies guys! :)
     
  7. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    I am not sure about the Apache proxy, but thats what I thought it was, I tried using my server at work as a proxy, and it failed, I will try again...could be that, makes the most sense...
     
  8. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    oh shit I just tried using my server as a proxy on port 80 and it worked :eek3d:

    someone try it for me, www.adaccache.com
     
  9. Ximian

    Ximian New Member

    Joined:
    Mar 20, 2004
    Messages:
    1,860
    Likes Received:
    0
    Location:
    DCA
    It's a proxy, find mod_proxy.c and comment all the lines, set ProxyRequests Off or both.

    #<IfModule mod_proxy.c>
    # ProxyRequests On
    # <Directory proxy:*>
    # Order deny,allow
    # Deny from all
    # Allow from .your-domain.com
    # </Directory>
     
  10. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    ok I tried it,a nyone wanna try it for me please? try using www.adaccache.com as a proxy on port 80

    thanks :bigthumb:
     
  11. Ximian

    Ximian New Member

    Joined:
    Mar 20, 2004
    Messages:
    1,860
    Likes Received:
    0
    Location:
    DCA
    Nope, all requests give a 404 and then forwarded to your site. But... Mandrake?

    Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk) mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2 Server at www.adaccache.com Port 80
     
  12. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    I am not sure what you mean exactly, is Mandrake bad or something? or is there another vulnrability I am unaware of :hs:
     
  13. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    Thanks for all your help guys! :bigthumb:
     

Share This Page