ayunda con logs httpd

Juan Ramirez jramig en gmail.com
Mie Ago 3 16:27:56 CLT 2005


hola listeros, desde hace algun tiempo a la fecha he estado
percibiendo un trafico bastante extraño (demasiado trafico) por el
puerto 80 en el server de la empresa y al revisar los correspondientes
logs me aparecen los siguientes registros

18.39.131.85 - - [01/Aug/2005:04:02:11 -0400] "GET
http://data.solon.co.kr/PView.aspx?site=help.solon.co.kr&site_id=SL
HTTP/1.0" 200 2 "http://help.solon.co.kr/FaqRead.aspx" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
61.184.4.243 - - [01/Aug/2005:04:02:11 -0400] "GET
http://www.jackpotpalace.com/images/banners/250x250_1J550.gif
HTTP/1.0" 200 19154 "http://www.clipacoupon.com/" "Mozilla/4.0
(compatible; MSIE 5.5; Windows 95)"
221.232.84.20 - - [01/Aug/2005:04:02:09 -0400] "GET
http://www.blazerunner.com HTTP/1.0" 200 22536
"http://www.blazerunner.com/ppc/search.php" "Mozilla/4.0 (compatible;
MSIE 5.01; Windows 98)"
207.234.147.36 - - [01/Aug/2005:04:02:05 -0400] "POST
http://szprotawa-um.pl:25/ HTTP/1.0" 200 577 "-" "-"
61.54.141.180 - - [01/Aug/2005:04:02:12 -0400] "GET
http://login.tracking101.com/42/3121/6342 HTTP/1.0" 301 0
"http://www.junaroo.com/" "Mozilla/4.0 (compatible; MSIE 5.02; Windows
95)"
218.22.75.162 - - [01/Aug/2005:04:02:13 -0400] "HEAD
http://www.yahoo.com/ HTTP/1.0" 200 0 "-" "Mozilla/4.0 (compatible;
MSIE 5.0; Windows 98)"
83.194.243.217 - - [01/Aug/2005:04:02:11 -0400] "GET
http://e4.edit.cnb.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=fear13_&passwd=TERROR
HTTP/1.0" 999 4413 "-" "-"
211.98.106.223 - - [01/Aug/2005:04:02:13 -0400] "GET
http://members.deluxepass.com/ HTTP/1.0" 401 476
"http://members.deluxepass.com/" "Mozilla/5.0 ( compatible; MSIE 5.0;
AOL 5.0; DigiExt )"
207.234.129.183 - - [01/Aug/2005:04:02:06 -0400] "POST
http://mail.hrhost.net:25/ HTTP/1.0" 200 299 "-" "-"
68.40.80.90 - - [01/Aug/2005:04:02:13 -0400] "GET
http://sbc.login.yahoo.com/config?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=colby_22&passwd=dog
HTTP/1.0" 999 4416 "-" "-"
213.54.209.240 - - [01/Aug/2005:04:02:14 -0400] "HEAD
http://www.onlyblowjob.com/members/members.php HTTP/1.0" 401 0
"http://www.onlyblowjob.com/members/members.php" "Mozilla/5.0 (
compatible; MSIE 5.01; AOL 5.0; NetCaptor )"
201.252.193.100 - - [01/Aug/2005:04:02:14 -0400] "HEAD
http://www.collegeinvasion.com/members/ HTTP/1.0" 401 0
"http://www.collegeinvasion.com/members/" "Mozilla/5.0 ( compatible;
MSIE 5.0; AOL 5.0; DigiExt )"
61.54.141.180 - - [01/Aug/2005:04:02:14 -0400] "GET
http://images.directtrack.com/cash4creatives/6342.gif HTTP/1.0" 200
11519 "http://www.junaroo.com/" "Mozilla/4.0 (compatible; MSIE 5.02;
Windows 95)"
85.193.198.64 - - [01/Aug/2005:04:02:14 -0400] "HEAD
http://members.scatmembers.com/ HTTP/1.0" 401 0
"http://www.meninpain.com/members/login.php?ref=%2Fmembers%2F"
"Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
61.54.141.180 - - [01/Aug/2005:04:02:14 -0400] "GET
http://leadgenetwork.com/42/545/18495 HTTP/1.0" 301 0
"http://www.junaroo.com/" "Mozilla/4.0 (compatible; MSIE 5.02; Windows
98)"
200.56.141.162 - - [01/Aug/2005:04:02:14 -0400] "GET
http://members.onlyteenblowjobs.com/ HTTP/1.0" 200 239 "" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206
Firefox/0.8"
81.156.135.206 - - [01/Aug/2005:04:02:14 -0400] "GET
http://p9.pf.scd.yahoo.com/oocandelaoo HTTP/1.0" 404 979 "-" "-"
 
y asi continua un registro bastante extenso.

alguien me podria orientar para saber que es lo que esta pasando, mi
instinto me dice que pareciera que lo estan utilizando para accerder a
otras pag. webs o lisa y llanamente ha sido hackeado porque de hecho
cuando se intenta enviar correo con este servidor en algunos sitios se
rechaza el correo  por estar "blacklisted"

datos del server:

mandrake 9.2 con los servicios web, smtp. pop3 y base de datos (firebird)


Saludos y gracias

Juan Ramirez G.



Más información sobre la lista de distribución Linux