Is my server hijacked?

I thought that my server had been compromised.

When working in China recently, I had run a proxy server on my server so that I could access gmail, twitter and facebook. Once I returned, I removed the program, but my site was extremely slow to load and looking at the Apache access_log, it appeared as though somehow the proxy was still operating. access_log was full of lines such as - - [19/Apr/2012:03:36:03 -0600] "GET!lzXvOUmfHwXQIX.entxiWYw5ObQ- HTTP/1.1" 301 346 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
and - - [19/Apr/2012:03:36:50 -0600] "CONNECT HTTP/1.1" 301 315 "-" "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0".

Luckily I found this useful script by David Ross on linuxquestions.orgwhich deciphers the access_log and error_log files. (It does not decipher all the response codes. You will have to look at Wikipedia or for full details of the codes)

# Start Config

$access_log = "/var/log/httpd/access_log";
$error_log = "/var/log/httpd/error_log";
$default_log = "error"; # access or error
$default_lines = "15";

# End Config

# Print the top of the page
print <<"EOF";
Content-type: text/html

<TITLE>Viewing $in{'log'} log</TITLE>
<H1>Log viewing options</H1>
<FORM method="get">
<TR><TH>Log Type:</TH><TD>Error<INPUT type="radio" value="error" name="log">
  Access<INPUT type="radio" value="access" name="log"></TD></TR>
<TR><TH>Lines to show:</TH><TD><INPUT type="text" size="5" name="lines" value="$default_lines"></TD></TR>
<TR><TH>&nbsp</TH><TD><INPUT type="submit" value="Show Log"></TD></TR>

# Get values from the query string (not many so we'll not use post)
foreach $pair (split(/&/, $ENV{'QUERY_STRING'})){
$pair =~ tr/+/ /;
($name, $value) = split(/=/, $pair);
$name =~ s/%(..)/pack("C", hex($1))/eg;
$value =~ s/%(..)/pack("C", hex($1))/eg;
$in{$name} = $value;
# If specific options were not given then use the defaults
if(!$in{'log'} && ($in{'log'} ne "access" || $in{log} ne "error")){$in{'log'} = $default_log}
if(!$in{'lines'}){$in{'lines'} = $default_lines}

print "</BODY></HTML>";

sub showlog{
print "<H1>Viewing $in{'log'} log</H1><TABLE border=1 width=90%>";
if($in{'log'} eq "access"){
open(LOG, "$access_log");
@line = <LOG>;
$num = @line;
($start, $request, $response, $ref, $other, $browser, $end) = split (/\"/, $line[$num]);
($browser, $end) = split (/ \(/, $browser);
($client, $other) = split (/\s/, $line[$num]);
($start, $end) = split (/\- /, $line[$num]);
($user, $bad) = split (/ \-/, $end);
($start, $end) = split (/\[/, $line[$num]);
($time, $line[$num]) = split (/\]/, $end);
if($response =~ /^ 200/){$resp = "OK!"}
if($response =~ /^ 500/){$resp = "Server error"}
if($response =~ /^ 404/){$resp = "Page not found"}
if($response =~ /^ 403/){$resp = "Authorisation required"}
if($response =~ /^ 401/){$resp = "Forbidden"}
if($response =~ /^ 400/){$resp = "Bad request"}
if($tm ne $time){print "<TR><TD colspan=4><HR></TD></TR>"}
print "<TR><TD width=35%><B>At:</B> $time
<B>User:</B> $client $user
<B>Browser:</B> $browser</TD>";
print "<TD width=65%><B>From page:</B> $ref
<B>Request:</B> $request
<B>Response:</B> $resp ($response)</TD></TR>";
elsif($in{'log'} eq "error"){
open(LOG, "$error_log");
@line = <LOG>;
$num = @line;
if($line[$num] =~ /^\[.*:..:.*\]/){
$line[$num] =~ tr/\[/ /;
($time, $typ, $cli, $info) = split (/\]/, $line[$num]);
if($line[$num] =~ /\(2\)/){
$cli = "";
if($tm ne $time){print "<TR><TD colspan=4><HR></TD></TR>"}
print "<TR><TD width=100>$time</TD><TD>$typ</TD><TD width=50>$cli</TD><TD>$info</TD></TR>";
print "</TABLE>";

Simply save the code above as apache.cgi in the /var/www/html/cgi-bin/ folder and give it executable rights (chmod +x apache.cgi).

This revealed that my server was responding with code 301 to requests for and, meaning that the requested URI had permanently moved and the request should display my home page instead. This is by design, but obviously was not very healthy as I was getting a lot of these spurious requests and it places undue load on my server.

I therefore followed the instructions on Proxy Abuse to reconfigure the Apache server to deny requests for random hostnames rather than serving local content..
NameVirtualHost *:80
# Disable default host
#<VirtualHost *:80>
# Define new default host, which is denied to all
<VirtualHost *:80>
ServerName default.only
<Location />
Order allow,deny
Deny from all
# Explicitly define previous default
<VirtualHost *:80>
DocumentRoot /var/www/htdocs

My server now responds with a code 403 and does not pass the request through to PHP for processing, substantially reducing the load on my server.