I run a server on Rackspace for one of my mapping programs. Last week the site seemed to be running a bit slow so I logged in to the server to see what was wrong. I noticed that my disk was at 100% full, so looking around I found that the space was being taken up by the web server logs.
I had a ticket open at Rackspace so I sent them some of my server logs and asked what might be the problem. They recommended trying a linux virus scan and a rootkit detector. Linux I think doesn’t have many viruses and the rootkit detector is to help to find it your server has been hacked, but both of these tools found no problem. Hmm, what was the problem?
The problem it seems is that I had an incorrectly configured a proxy server. My web site requires that I configure my application server which runs on a different port from my web server (technical part), to be proxied to run through the web server. I had tried to do this and got it to work, but added more to the configuration than I should have. I turns out that there is a reverse proxy and a forward proxy. What I wanted was a reverse proxy, but I turned on both, and configured the forward proxy open to anyone. Hence, my server was available to proxy for anyone on the internet. The spyware servers found my server and started using it to serve spyware.
When I was trying to figure out the error I deleted the web server logs and restarted the server and in 5 minutes I had 300MB of server logs. I captured the last 1000 entries in the log here which shows 1000 hits in 3 seconds for ad sites. Fixed it now, and won’t make that mistake again.
So maybe some stupid ad on a web page you viewed in the last month was served from my server. Sorry.