hola listeros, desde hace algun tiempo a la fecha he estado percibiendo un trafico bastante extraño (demasiado trafico) por el puerto 80 en el server de la empresa y al revisar los correspondientes logs me aparecen los siguientes registros
18.39.131.85 - - [01/Aug/2005:04:02:11 -0400] "GET http://data.solon.co.kr/PView.aspx?site=help.solon.co.kr&site_id=SL HTTP/1.0" 200 2 "http://help.solon.co.kr/FaqRead.aspx"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)" 61.184.4.243 - - [01/Aug/2005:04:02:11 -0400] "GET http://www.jackpotpalace.com/images/banners/250x250_1J550.gif HTTP/1.0" 200 19154 "http://www.clipacoupon.com/"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)" 221.232.84.20 - - [01/Aug/2005:04:02:09 -0400] "GET http://www.blazerunner.com HTTP/1.0" 200 22536 "http://www.blazerunner.com/ppc/search.php"; "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" 207.234.147.36 - - [01/Aug/2005:04:02:05 -0400] "POST http://szprotawa-um.pl:25/ HTTP/1.0" 200 577 "-" "-" 61.54.141.180 - - [01/Aug/2005:04:02:12 -0400] "GET http://login.tracking101.com/42/3121/6342 HTTP/1.0" 301 0 "http://www.junaroo.com/"; "Mozilla/4.0 (compatible; MSIE 5.02; Windows 95)" 218.22.75.162 - - [01/Aug/2005:04:02:13 -0400] "HEAD http://www.yahoo.com/ HTTP/1.0" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" 83.194.243.217 - - [01/Aug/2005:04:02:11 -0400] "GET http://e4.edit.cnb.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=fear13_&passwd=TERROR HTTP/1.0" 999 4413 "-" "-" 211.98.106.223 - - [01/Aug/2005:04:02:13 -0400] "GET http://members.deluxepass.com/ HTTP/1.0" 401 476 "http://members.deluxepass.com/"; "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )" 207.234.129.183 - - [01/Aug/2005:04:02:06 -0400] "POST http://mail.hrhost.net:25/ HTTP/1.0" 200 299 "-" "-" 68.40.80.90 - - [01/Aug/2005:04:02:13 -0400] "GET http://sbc.login.yahoo.com/config?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=colby_22&passwd=dog HTTP/1.0" 999 4416 "-" "-" 213.54.209.240 - - [01/Aug/2005:04:02:14 -0400] "HEAD http://www.onlyblowjob.com/members/members.php HTTP/1.0" 401 0 "http://www.onlyblowjob.com/members/members.php"; "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; NetCaptor )" 201.252.193.100 - - [01/Aug/2005:04:02:14 -0400] "HEAD http://www.collegeinvasion.com/members/ HTTP/1.0" 401 0 "http://www.collegeinvasion.com/members/"; "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )" 61.54.141.180 - - [01/Aug/2005:04:02:14 -0400] "GET http://images.directtrack.com/cash4creatives/6342.gif HTTP/1.0" 200 11519 "http://www.junaroo.com/"; "Mozilla/4.0 (compatible; MSIE 5.02; Windows 95)" 85.193.198.64 - - [01/Aug/2005:04:02:14 -0400] "HEAD http://members.scatmembers.com/ HTTP/1.0" 401 0 "http://www.meninpain.com/members/login.php?ref=%2Fmembers%2F"; "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )" 61.54.141.180 - - [01/Aug/2005:04:02:14 -0400] "GET http://leadgenetwork.com/42/545/18495 HTTP/1.0" 301 0 "http://www.junaroo.com/"; "Mozilla/4.0 (compatible; MSIE 5.02; Windows 98)" 200.56.141.162 - - [01/Aug/2005:04:02:14 -0400] "GET http://members.onlyteenblowjobs.com/ HTTP/1.0" 200 239 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 81.156.135.206 - - [01/Aug/2005:04:02:14 -0400] "GET http://p9.pf.scd.yahoo.com/oocandelaoo HTTP/1.0" 404 979 "-" "-" y asi continua un registro bastante extenso. alguien me podria orientar para saber que es lo que esta pasando, mi instinto me dice que pareciera que lo estan utilizando para accerder a otras pag. webs o lisa y llanamente ha sido hackeado porque de hecho cuando se intenta enviar correo con este servidor en algunos sitios se rechaza el correo por estar "blacklisted" datos del server: mandrake 9.2 con los servicios web, smtp. pop3 y base de datos (firebird) Saludos y gracias Juan Ramirez G.
