Spam in Apache access logs

Régis B. asked:

I just booted a new, mint Debian Squeeze x64 server from my cloud hosting provider. I received by root password by email, logged in and ran the following commands:

apt-get update
apt-get upgrade
apt-get install apache2

After waiting a couple minutes, this is what I see in my Apache logs:

$ tail -f /var/log/apache2/access.log - - [14/Apr/2013:17:24:57 +0000] "GET HTTP/1.0" 404 520 "" "Mozilla/4.61 (Macintosh; I; PPC)" - - [14/Apr/2013:17:24:57 +0000] "GET;size=2 HTTP/1.0" 404 560 "://" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Alexa Toolbar)" - - [14/Apr/2013:17:24:57 +0000] "GET HTTP/1.0" 404 520 "" "Mozilla/4.61 [en] (WinNT; I)" - - [14/Apr/2013:17:24:57 +0000] "GET HTTP/1.0" 404 523 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.814.0 Safari/535.1" - - [14/Apr/2013:17:24:57 +0000] "GET HTTP/1.0" 404 520 "" "Opera/9.80 (S60; SymbOS; Opera Tablet/9174; U; en) Presto/2.7.81 Version/10.5" - - [14/Apr/2013:17:24:57 +0000] "GET;size=4 HTTP/1.0" 404 560 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.8" - - [14/Apr/2013:17:24:58 +0000] "GET${PUB_URL} HTTP/1.0" 404 526 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MAXTHON 2.0)" - - [14/Apr/2013:17:24:58 +0000] "GET HTTP/1.0" 404 520 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.9.168 Version/11.51" - - [14/Apr/2013:17:24:58 +0000] "GET${PUB_URL} HTTP/1.0" 404 520 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01" - - [14/Apr/2013:17:24:58 +0000] "GET${CACHEBUSTER}&pubclick=${CLICK_URL} HTTP/1.0" 404 519 "" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE 2.0)"

As you can imagine, this is scrolling at rather high speed.

So, what’s the verdict? Is there a security flaw inside the Debian distribution installed by my hosting provider?

(As long as I am not sure it is indeed a security issue that stems from the hosting provider distribution I’d rather not give out its name)

My answer:

Someone has been using your VPS’s IP address as a proxy to abuse the various ad networks shown here. If you just got the thing, it was probably whoever last had the IP address running an open proxy.

If I ran into this situation, I would shut down the web server, and then contact the provider to let them know of the issue and ask for a different IP address.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.