[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache log entry

brendan hack writes:
>Hi All,
>	I found a strange entry hidden among all the IIS exploit attempts in my 
>apache access log today:
> - - [07/Oct/2001:21:28:44 +1000] "GET 
> HTTP/1.0" 200 756
>	Does anyone know if this is some sort of attack attempt? It doesn't seem 
>to make any sense as a log entry as there is no leading '/' on the url 
>portion and there is no corresponding error log entry saying that the 
>file '' couldn't be found. I also find the 
>fact that the client IP and the url are the same suspicious. I tried 
>retrieving the same file myself using mozilla 
>(http://webserver/ and it created a similar 
>access entry but with a '/' at the start of the url and there was an 
>error log entry generated. There was a peak in traffic from the server 
>the day after this log entry which instigated the check. Any suggestions 
>will be appreciated.

Someone's trying to use you as a proxy.  That's what proxy HTTP
requests look like.

The "200" code suggests that they succeeded.  Add something like this
to your httpd.conf to block these.  (Delete the "allow" part if you
don't want proxying at all; if you do, change the IP addresses to
whatever is appropriate for your system.)

<Directory proxy:*>
	order deny,allow
	deny from all
	allow from



William R Ward            bill@wards.net          http://www.wards.net/~bill/
                    (formerly known as hermit@bayview.com)
                   Life is too important to take seriously.

Reply to: