Django Development server, found something in console like virus?

I was running Django Development server, and found same access message shown up again and again:

[03/Dec/2009 21:02:30] "GET http://222.186.27.9/R.asp?P=58.50.245.72:8000 HTTP/1.1" 500 717
Traceback (most recent call last):
File "d:\www\lib\django\django\core\servers\basehttp.py", line 279, in run

  self.result = application(self.environ, self.start_response)
File "d:\www\lib\django\django\core\servers\basehttp.py", line 651, in __call__

  return self.application(environ, start_response)
File "d:\www\lib\django\django\core\handlers\wsgi.py", line 241, in __call__

  response = self.get_response(request)
File "d:\www\lib\django\django\core\handlers\base.py", line 115, in get_response

  return debug.technical_404_response开发者_如何学JAVA(request, e)
File "d:\www\lib\django\django\views\debug.py", line 247, in technical_404_response

  tried = exception.args[0]['tried']
KeyError: 'tried'
[03/Dec/2009 22:18:31] "GET http : / / pay .qq.com/ HTTP/1.1" 500 717

I wander it's a virus, do any one know what accessed the url, how can I find it? Thanks!

Looks suspicious indeed. pay.qq.com seams the to be url for some kind of virtual good store in china (wikipedia).

I recommend setting up wireshark on your server to capture traffic. It should help you identify the source of it. Hopefully, it is not one of the machine on your network responsible for this.

Also, your django development server should not be exposed to the public internet. From the django source code (basehttp.py):

#This is a simple server for use in testing or debugging Django apps. It hasn't
#been reviewed for security issues. Don't use it for production use.

Did you run the dev server with the default arguments? If so it should only be bound to localhost (127.0.0.1) which shouldn't be accessible from anywhere except your machine. If so then you have trouble on your machine.

If you have bound the dev server to an external internet facing address, then don't! It isn't a fully featured web server and is probably full of security problems.

Either way, the requests look like they are proxy requests and 8000 is a common port to run a proxy on, so some process on your machine, or some external lan or internet based service has discovered it and is trying to abuse it.

most likely someone is just trying to use your server as a proxy.