24.80.99.100 - - [23/Apr/2006:15:18:21 +0530] "GET
http://proxyking.servehttp.com:8080/...e?service=Echo HTTP/1.0"
200 7454
GET /.eBay/ws/ HTTP/1.1


218.166.50.157 - - [25/Apr/2006:00:26:14 +0530] "GET /.ebay/ HTTP/1.0"
200 7411
218.166.49.99 - - [25/Apr/2006:00:26:15 +0530] "GET /.ebay/ HTTP/1.0"
200 7411

63.212.171.193 - - [25/Apr/2006:09:26:40 +0530] "GET /.eBay/ws/
HTTP/1.1" 200 7429

62.58.50.81 - - [25/Apr/2006:12:42:30 +0530] "CONNECT 205.231.29.241:25
HTTP/1.0" 200 2765
62.58.50.81 - - [25/Apr/2006:12:42:33 +0530] "POST
http://205.231.29.241:25/ HTTP/1.0" 200 2864

yakuza.exigo.ch - - [25/Apr/2006:16:38:17 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:38:29 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:39:32 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:49:29 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:49:36 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453


lj601394.inktomisearch.com - - [25/Apr/2006:18:27:09 +0530] "GET
/robots.txt HTTP/1.0" 200 7435
lj601303.inktomisearch.com - - [25/Apr/2006:18:27:12 +0530] "GET
/.eBay/ws/ HTTP/1.0" 200 7429

najya.cit-network.net - - [27/Apr/2006:00:41:48 +0530] "GET
http://nntime.com/235490.htm HTTP/1.1" 200 7435

These look very much like your system has been broken into.

Be prepared to unplug the machine, and re-install the system from scratch.

In future, keep up with security updates and advisories, not just for
the OS and web server, but also for whatever server-side web software
you have (PHP, PHPbb, Apache, ...). Details below.


rajeshkodali@gmail.com said:
>24.80.99.100 - - [23/Apr/2006:15:18:21 +0530] "GET
>http://proxyking.servehttp.com:8080/...e?service=Echo HTTP/1.0"

Someone (at address 24.80.99.100) has used your system as a proxy to fetch
something from proxyking.servehttp.com . Problems with this:
- it uses your bandwidth, both downstram and upstream
- if the request was malicious in some way (doesn't look like, but anyway),
all the traces at proxyking will point to _your_ server - so, should
anyone want to raise any legal action, you would be the primary target

>218.166.50.157 - - [25/Apr/2006:00:26:14 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>218.166.49.99 - - [25/Apr/2006:00:26:15 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>63.212.171.193 - - [25/Apr/2006:09:26:40 +0530] "GET /.eBay/ws/
>HTTP/1.1" 200 7429

Someone has placed a folder .eBay onto the web root on your machine;
I suspect you didn't do this yourself. My best guess is that you're
hosting a eBay phishing (password/useraccount stealing) website for
someone. Again, any legal consequences are pointing to you.
>
>62.58.50.81 - - [25/Apr/2006:12:42:30 +0530] "CONNECT 205.231.29.241:25
>HTTP/1.0" 200 2765
>62.58.50.81 - - [25/Apr/2006:12:42:33 +0530] "POST
>http://205.231.29.241:25/ HTTP/1.0" 200 2864

At least for the former (perhaps also for the latter), someone is at least
trying to use your server to send spam mail. The originator (as far as
you can see, but it could be just another cracked box) is at address
62.58.50.81, and they're attenpting to use 205.231.29.241 as mail relay,
and your machine is relaying the connection (and again, it's the IP address
of your server that shows in the logs at 205.231.29.241, should they
want to contact someone over this abuse attempt).

>yakuza.exigo.ch - - [25/Apr/2006:16:38:17 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:38:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:39:32 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:36 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453

Someone from yakuza.exigo.ch is using your machine as a proxy to access
astalavista. Looks like astalavista is refusing the requests.

>lj601394.inktomisearch.com - - [25/Apr/2006:18:27:09 +0530] "GET
>/robots.txt HTTP/1.0" 200 7435

The Inktomi search system is requesting search engine rules (which
pages are prohibited from search engine indexing) from your machine.
This is normal, and courteous action. And it even looks like you
have such a rule set (though, if you didn't place it there yourself,
then it most possibly contains list of folders that those abusing
your machine do want to keep out of search engine indexes).

>lj601303.inktomisearch.com - - [25/Apr/2006:18:27:12 +0530] "GET
>/.eBay/ws/ HTTP/1.0" 200 7429

And again the Inktomi system, this time mapping your eBay phishing site
(if it is what I suspect).

>najya.cit-network.net - - [27/Apr/2006:00:41:48 +0530] "GET
>http://nntime.com/235490.htm HTTP/1.1" 200 7435

Another proxy request; seemingly innocuous.


So, looks very much like someone is rather badly abusing your machine.
Depending on where you are located, you might wish to contact your
local law enforcement (or a lawyer), in order to protect yourself
from accusations by others (eBayers who have been lured to reveal their
accounts on your site; sites, which have become spam hosts by spreading
mail "originated" at your machine; ...). Who knows what all is "hosted"
on your server.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

These look very much like your system has been broken into.

Be prepared to unplug the machine, and re-install the system from scratch.

In future, keep up with security updates and advisories, not just for
the OS and web server, but also for whatever server-side web software
you have (PHP, PHPbb, Apache, ...). Details below.


rajeshkodali@gmail.com said:
>24.80.99.100 - - [23/Apr/2006:15:18:21 +0530] "GET
>http://proxyking.servehttp.com:8080/...e?service=Echo HTTP/1.0"

Someone (at address 24.80.99.100) has used your system as a proxy to fetch
something from proxyking.servehttp.com . Problems with this:
- it uses your bandwidth, both downstram and upstream
- if the request was malicious in some way (doesn't look like, but anyway),
all the traces at proxyking will point to _your_ server - so, should
anyone want to raise any legal action, you would be the primary target

>218.166.50.157 - - [25/Apr/2006:00:26:14 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>218.166.49.99 - - [25/Apr/2006:00:26:15 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>63.212.171.193 - - [25/Apr/2006:09:26:40 +0530] "GET /.eBay/ws/
>HTTP/1.1" 200 7429

Someone has placed a folder .eBay onto the web root on your machine;
I suspect you didn't do this yourself. My best guess is that you're
hosting a eBay phishing (password/useraccount stealing) website for
someone. Again, any legal consequences are pointing to you.
>
>62.58.50.81 - - [25/Apr/2006:12:42:30 +0530] "CONNECT 205.231.29.241:25
>HTTP/1.0" 200 2765
>62.58.50.81 - - [25/Apr/2006:12:42:33 +0530] "POST
>http://205.231.29.241:25/ HTTP/1.0" 200 2864

At least for the former (perhaps also for the latter), someone is at least
trying to use your server to send spam mail. The originator (as far as
you can see, but it could be just another cracked box) is at address
62.58.50.81, and they're attenpting to use 205.231.29.241 as mail relay,
and your machine is relaying the connection (and again, it's the IP address
of your server that shows in the logs at 205.231.29.241, should they
want to contact someone over this abuse attempt).

>yakuza.exigo.ch - - [25/Apr/2006:16:38:17 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:38:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:39:32 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:36 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453

Someone from yakuza.exigo.ch is using your machine as a proxy to access
astalavista. Looks like astalavista is refusing the requests.

>lj601394.inktomisearch.com - - [25/Apr/2006:18:27:09 +0530] "GET
>/robots.txt HTTP/1.0" 200 7435

The Inktomi search system is requesting search engine rules (which
pages are prohibited from search engine indexing) from your machine.
This is normal, and courteous action. And it even looks like you
have such a rule set (though, if you didn't place it there yourself,
then it most possibly contains list of folders that those abusing
your machine do want to keep out of search engine indexes).

>lj601303.inktomisearch.com - - [25/Apr/2006:18:27:12 +0530] "GET
>/.eBay/ws/ HTTP/1.0" 200 7429

And again the Inktomi system, this time mapping your eBay phishing site
(if it is what I suspect).

>najya.cit-network.net - - [27/Apr/2006:00:41:48 +0530] "GET
>http://nntime.com/235490.htm HTTP/1.1" 200 7435

Another proxy request; seemingly innocuous.


So, looks very much like someone is rather badly abusing your machine.
Depending on where you are located, you might wish to contact your
local law enforcement (or a lawyer), in order to protect yourself
from accusations by others (eBayers who have been lured to reveal their
accounts on your site; sites, which have become spam hosts by spreading
mail "originated" at your machine; ...). Who knows what all is "hosted"
on your server.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

These look very much like your system has been broken into.

Be prepared to unplug the machine, and re-install the system from scratch.

In future, keep up with security updates and advisories, not just for
the OS and web server, but also for whatever server-side web software
you have (PHP, PHPbb, Apache, ...). Details below.


rajeshkodali@gmail.com said:
>24.80.99.100 - - [23/Apr/2006:15:18:21 +0530] "GET
>http://proxyking.servehttp.com:8080/...e?service=Echo HTTP/1.0"

Someone (at address 24.80.99.100) has used your system as a proxy to fetch
something from proxyking.servehttp.com . Problems with this:
- it uses your bandwidth, both downstram and upstream
- if the request was malicious in some way (doesn't look like, but anyway),
all the traces at proxyking will point to _your_ server - so, should
anyone want to raise any legal action, you would be the primary target

>218.166.50.157 - - [25/Apr/2006:00:26:14 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>218.166.49.99 - - [25/Apr/2006:00:26:15 +0530] "GET /.ebay/ HTTP/1.0"
>200 7411
>63.212.171.193 - - [25/Apr/2006:09:26:40 +0530] "GET /.eBay/ws/
>HTTP/1.1" 200 7429

Someone has placed a folder .eBay onto the web root on your machine;
I suspect you didn't do this yourself. My best guess is that you're
hosting a eBay phishing (password/useraccount stealing) website for
someone. Again, any legal consequences are pointing to you.
>
>62.58.50.81 - - [25/Apr/2006:12:42:30 +0530] "CONNECT 205.231.29.241:25
>HTTP/1.0" 200 2765
>62.58.50.81 - - [25/Apr/2006:12:42:33 +0530] "POST
>http://205.231.29.241:25/ HTTP/1.0" 200 2864

At least for the former (perhaps also for the latter), someone is at least
trying to use your server to send spam mail. The originator (as far as
you can see, but it could be just another cracked box) is at address
62.58.50.81, and they're attenpting to use 205.231.29.241 as mail relay,
and your machine is relaying the connection (and again, it's the IP address
of your server that shows in the logs at 205.231.29.241, should they
want to contact someone over this abuse attempt).

>yakuza.exigo.ch - - [25/Apr/2006:16:38:17 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:38:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:39:32 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:29 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
>yakuza.exigo.ch - - [25/Apr/2006:16:49:36 +0530] "GET
>http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453

Someone from yakuza.exigo.ch is using your machine as a proxy to access
astalavista. Looks like astalavista is refusing the requests.

>lj601394.inktomisearch.com - - [25/Apr/2006:18:27:09 +0530] "GET
>/robots.txt HTTP/1.0" 200 7435

The Inktomi search system is requesting search engine rules (which
pages are prohibited from search engine indexing) from your machine.
This is normal, and courteous action. And it even looks like you
have such a rule set (though, if you didn't place it there yourself,
then it most possibly contains list of folders that those abusing
your machine do want to keep out of search engine indexes).

>lj601303.inktomisearch.com - - [25/Apr/2006:18:27:12 +0530] "GET
>/.eBay/ws/ HTTP/1.0" 200 7429

And again the Inktomi system, this time mapping your eBay phishing site
(if it is what I suspect).

>najya.cit-network.net - - [27/Apr/2006:00:41:48 +0530] "GET
>http://nntime.com/235490.htm HTTP/1.1" 200 7435

Another proxy request; seemingly innocuous.


So, looks very much like someone is rather badly abusing your machine.
Depending on where you are located, you might wish to contact your
local law enforcement (or a lawyer), in order to protect yourself
from accusations by others (eBayers who have been lured to reveal their
accounts on your site; sites, which have become spam hosts by spreading
mail "originated" at your machine; ...). Who knows what all is "hosted"
on your server.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)