Back To Microsoft Windows Forum

Weird apache log?

  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Joined: Feb 17, 2005
  • Posts: 1585
  • Status: Offline

Post March 8th, 2009, 12:49 am

I run an Apache test server on localhost and I was browsing the web and I went to some image site that had a virus that my scanner caught and blocked (I hope all the way). I didn't think much of it, but a few minutes later I went looking through my apache logs because my website threw an error and I found a ton of requests to my server like this, coming from my own machine:

access.log wrote:
127.0.0.1 - - [08/Mar/2009:03:01:45 -0400] "GET /imp?Z=160x600,120x600&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=728x90&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=300x250&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:46 -0400] "GET /imp?Z=160x600&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:47 -0400] "GET /c?e1=<some encoded information was here, but I removed it from this post> HTTP/1.1" 404 199
127.0.0.1 - - [08/Mar/2009:03:01:49 -0400] "GET /imp?Z=728x90,468x60&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:50 -0400] "GET /imp?Z=300x250&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:50 -0400] "GET /rd/Clk.jsp?s=m3&k=vacation+rental&lnk2=<some encoded information was here, but I removed it from this post> HTTP/1.1" 404 208
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=160x600,120x600&s=511547&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=160x600&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201
127.0.0.1 - - [08/Mar/2009:03:01:52 -0400] "GET /imp?Z=468x60&S=INSERT_SECTION_CODE_HERE&i=287962&t=2 HTTP/1.1" 404 201


Was/is it a virus on my machine? It seems like it was some sort of crafty script or something that made FireFox run queries on localhost.

The only thing I could find related to it was when I did a google search on "INSERT_SECTION_CODE_HERE" I found this: http://www.spywarelib.com/SpywareDetail ... bancos.abv

Note: I removed some of the characters from the URLs with encoded strings incase they had some sort of information about my machine.
There's no place like 127.0.0.1, badass part is now it's ::1
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post March 8th, 2009, 12:49 am

  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post March 8th, 2009, 5:30 am

Is apache running on Windows or Unix? Did you also change the IP address to the loop back in an attempt to hide your machine information? If not, trojan-spy may already be running on your network or machine.
How do you know when a politician is lying? His mouth is moving.
  • joebert
  • Sledgehammer
  • Genius
  • No Avatar
  • Joined: Feb 10, 2004
  • Posts: 13455
  • Loc: Florida
  • Status: Offline

Post March 8th, 2009, 10:28 am

Have you, or has your anti-virus/spyware software looped back ANY domains that could be related to advertisements to localhost to stop ads from being shown in the browser ?

I had something like this happen before and it turned out to be an entry I'd left in my hosts file to block advertisements.

With those bits of information like "160x600", which look like banner sizes, I'm guessing that's what's happened to you too.
Strong with this one, the sudo is.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Joined: Feb 17, 2005
  • Posts: 1585
  • Status: Offline

Post March 9th, 2009, 9:38 pm

Don2007 wrote:
Is apache running on Windows or Unix? Did you also change the IP address to the loop back in an attempt to hide your machine information? If not, trojan-spy may already be running on your network or machine.


XP, and no I didn't change the IPs.

joebert wrote:
Have you, or has your anti-virus/spyware software looped back ANY domains that could be related to advertisements to localhost to stop ads from being shown in the browser ?

I had something like this happen before and it turned out to be an entry I'd left in my hosts file to block advertisements.

With those bits of information like "160x600", which look like banner sizes, I'm guessing that's what's happened to you too.


You know what... I bet you're totally right. My anti-virus that I use is Avira Anti-Vir, but on my browser I also use AdBlock & NoScript & a few more add-ons. You think it was one of them? I doubt something got that deep into my machine and started doing that. I constantly check processes and connections and such.
There's no place like 127.0.0.1, badass part is now it's ::1

Page 1 of 1

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 148 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.