Weird apache log?

  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

I run an Apache test server on localhost and I was browsing the web and I went to some image site that had a virus that my scanner caught and blocked (I hope all the way). I didn't think much of it, but a few minutes later I went looking through my apache logs because my website threw an error and I found a ton of requests to my server like this, coming from my own machine:

access.log wrote:
127.0.0.1 - - [08/Mar/2009:03:01:45 -0400] "GET /imp?Z=160x600,120x600&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=728x90&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=300x250&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=160x600&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:47 -0400] "GET /c?e1=<some encoded information was here, but I removed it from this post> HTTP/1.1" 404 199
127.0.0.1 - - [08/Mar/2009:03:01:49 -0400] "GET /imp?Z=728x90,468x60&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:50 -0400] "GET /imp?Z=300x250&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:50 -0400] "GET /rd/Clk.jsp?s=m3&k=vacation+rental&lnk2=<some encoded information was here, but I removed it from this post> HTTP/1.1" 404 208
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=160x600,120x600&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=160x600&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=468x60&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201


Was/is it a virus on my machine? It seems like it was some sort of crafty script or something that made FireFox run queries on localhost.

The only thing I could find related to it was when I did a google search on "INSERT_SECTION_CODE_HERE" I found this: http://www.spywarelib.com/SpywareDetail ... bancos.abv

Note: I removed some of the characters from the URLs with encoded strings incase they had some sort of information about my machine.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Is apache running on Windows or Unix? Did you also change the IP address to the loop back in an attempt to hide your machine information? If not, trojan-spy may already be running on your network or machine.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

Have you, or has your anti-virus/spyware software looped back ANY domains that could be related to advertisements to localhost to stop ads from being shown in the browser ?

I had something like this happen before and it turned out to be an entry I'd left in my hosts file to block advertisements.

With those bits of information like "160x600", which look like banner sizes, I'm guessing that's what's happened to you too.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Don2007 wrote:
Is apache running on Windows or Unix? Did you also change the IP address to the loop back in an attempt to hide your machine information? If not, trojan-spy may already be running on your network or machine.


XP, and no I didn't change the IPs.

joebert wrote:
Have you, or has your anti-virus/spyware software looped back ANY domains that could be related to advertisements to localhost to stop ads from being shown in the browser ?

I had something like this happen before and it turned out to be an entry I'd left in my hosts file to block advertisements.

With those bits of information like "160x600", which look like banner sizes, I'm guessing that's what's happened to you too.


You know what... I bet you're totally right. My anti-virus that I use is Avira Anti-Vir, but on my browser I also use AdBlock & NoScript & a few more add-ons. You think it was one of them? I doubt something got that deep into my machine and started doing that. I constantly check processes and connections and such.

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 64 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.