Hi,
I've runned pxytest
http://www.unicom.com/sw/pxytest/
script on my 3 ip addresses and this utilities says "test complet no proxies found"
Furthermore, I checked my 3 ip at
http://robtex.com and none are listed in their blacklists
I ran apachetop for 45 minutes and found that around 19% of all request are status 200 OK. Here are some of the request accepted by my server
127.0.0.1 - - [26/Apr/2006:20:50:03 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
218.249.89.195 - - [26/Apr/2006:20:53:14 -0400] "GET
http://www.msn.com.cn/ HTTP/1.0" 200 831 "-" "HttpClient"
219.134.225.72 - - [26/Apr/2006:20:53:39 -0400] "GET
http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
219.134.225.72 - - [26/Apr/2006:20:53:39 -0400] "GET
http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
219.134.225.72 - - [26/Apr/2006:20:54:45 -0400] "GET
http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
219.134.225.72 - - [26/Apr/2006:20:54:45 -0400] "GET
http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
219.134.225.72 - - [26/Apr/2006:20:55:00 -0400] "GET
http://click.linktech.cn/?m=hexun&a=A100015035&l=00016&u_id= HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
127.0.0.1 - - [26/Apr/2006:20:55:03 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
200.125.18.117 - - [26/Apr/2006:20:57:26 -0400] "GET
http://www.yourfilehost.com/ HTTP/1.1" 200 831 "http://www.poligames.com" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)"
219.134.225.72 - - [26/Apr/2006:20:57:27 -0400] "GET
http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
219.134.225.72 - - [26/Apr/2006:20:57:30 -0400] "GET
http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.54.135.35 - - [26/Apr/2006:20:59:17 -0400] "GET
http://www.yahoo.com/ HTTP/1.1" 200 831 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
67.11.230.208 - - [26/Apr/2006:20:59:21 -0400] "GET
http://www.yahoo.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
65.75.152.120 - - [26/Apr/2006:20:59:59 -0400] "GET
http://search.yahoo.com/ HTTP/1.0" 200 831 "-" "Mozilla/4.0"
65.75.152.120 - - [26/Apr/2006:21:00:00 -0400] "GET
http://search.yahoo.com/ HTTP/1.0" 200 831 "-" "Mozilla/4.0"
127.0.0.1 - - [26/Apr/2006:21:00:06 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
196.217.78.142 - - [26/Apr/2006:21:00:31 -0400] "GET
http://www.yahoo.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
84.36.15.4 - - [26/Apr/2006:21:02:52 -0400] "GET
http://www.google.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
211.156.181.61 - - [26/Apr/2006:21:02:56 -0400] "HEAD
http://www.yahoo.com/ HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
84.36.15.4 - - [26/Apr/2006:21:03:04 -0400] "GET
http://www.google.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
200.105.152.107 - - [26/Apr/2006:21:03:47 -0400] "HEAD
http://members.ztod.com/ HTTP/1.0" 200 - "-" "Mozilla/5.0 ( Windows; U; Windows NT4.0; FireFox )"
As you can see it looks like my server accepted a GET request for yahoo.com and someothers.
If this is a proxy request how come pxytest says that theres no proxies found on my servers ?
Two lines are bugging me even more than the yahoo. Theses are the one starting with my loopback address 127.0.01. In this line, you can see a Wget to something 1.9/cvs-stable (red-hat modified)
Could I have been hacked and rootkitted ? I will run RKHunter and let know in the next post.
If you have any thoughts please share.
Thanks
André