cross site scripting attack?

sneakyimp · Jan 18, 2007

my brother's server has had some problems and his sysadmin buddy keeps insisting it's a 'cross site scripting attack' that somehow preys on fopen(). His apache error log is full of errors like this:

[Thu Jan 18 09:30:24 2007] [error] [client 221.6.253.34] File does not exist: E:/conduit/site/mb
 [Thu Jan 18 09:30:36 2007] [error] [client 68.192.221.84] File does not exist: E:/conduit/site/cgi-bin, referer: http://www.anonymitytest.com/cgi-bin/jenv.cgi
 [Thu Jan 18 09:30:41 2007] [error] [client 68.192.221.84] File does not exist: E:/conduit/site/cgi-bin, referer: http://www.anonymitytest.com/cgi-bin/jenv.cgi
 [Thu Jan 18 09:30:54 2007] [error] [client 211.55.160.235] File does not exist: E:/conduit/site/f1.member.ird.yahoo.com, referer: http://edit.korea.yahoo.com

We have no idea who www.anonymitytest.com is.

The apache access log is also full of domains that we do not recognize. How can it be that our apache log has domains that we haven't mapped to it?

209.190.9.18 - - [18/Jan/2007:08:44:23 -0800] "CONNECT 61.155.13.170:25 HTTP/1.0" 200 29273
 85.185.227.2 - - [18/Jan/2007:08:44:32 -0800] "GET http://www.sparklehits.com/directory/Personal+Finance/aff/1379 HTTP/1.0" 404 3487
209.11.243.66 - - [18/Jan/2007:08:43:25 -0800] "CONNECT 85.93.75.5:25 HTTP/1.0" 200 29273
 61.16.156.107 - - [18/Jan/2007:08:43:28 -0800] "GET http://www.jadesearch.net/index.php?uid=171&REQ=Massage+Chair HTTP/1.0" 404 3511

JPnyc · Jan 18, 2007

The place to ask a question like that is http://antionline.com/

That's the security expert site. If anyone can help, they can.

cross site scripting attack?

Ssneakyimp

JJPnyc