[Snort-users] Wierd Web/Proxy Server Attack

Chris Green cmg at ...671...
Sun Mar 18 14:44:13 EST 2001


"Paul Asadoorian" <paul.com at ...530...> writes:
> Web Server Logs:
> 
> access_log.txt:202.102.12.110 - - [08/Jan/2001:08:00:01 -0500] "GET
> http://ad.contentzone.com/srv/view?site_id=35340 HTTP/1.1" 404 283
> access_log.txt:202.102.12.110 - - [08/Jan/2001:19:25:47 -0500] "GET
> http://ad.contentzone.com/srv/view?site_id=35340 HTTP/1.1" 404 283
> error_log.txt:[Mon Jan  8 08:00:01 2001] [error] [client 202.102.12.110]
> File does not exist: /DocumentRoot/srv/view
> error_log.txt:[Mon Jan  8 19:25:47 2001] [error] [client 202.102.12.110]
> File does not exist: /DocumentRoot/srv/view
> 
> 
> Does anyone know what type of attack/exploit this guy was looking for?   I
> know 8080 and 3128 are common proxy ports, and port 80 is pretty obvious,
> but what if the srv/view directory supposed to contain?

This guy was looking for open http proxies and trying to get his
banner ad proxied off your server. They do it to try and get more
distinct ips for their banner ad and hence more $$$ in their pocket.
Has any one ever tried reporting these to the banner ad networks?
They all probably have some clause about fraud in their contracts. 
-- 
Chris Green <cmg at ...671...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list