Re: apache log entry
At 10:08 2001-10-09 +1000, brendan hack wrote:
I found a strange entry hidden among all the IIS exploit attempts
in my apache access log today:
220.127.116.11 - - [07/Oct/2001:21:28:44 +1000] "GET
http://18.104.22.168:8283/ HTTP/1.0" 200 756
Does anyone know if this is some sort of attack attempt? It
doesn't seem to make any sense as a log entry as there is no leading '/'
on the url portion and there is no corresponding error log entry saying
that the file 'http://22.214.171.124:8283/' couldn't be found. I also find
the fact that the client IP and the url are the same suspicious. I tried
retrieving the same file myself using mozilla
(http://webserver/http://126.96.36.199:8283/) and it created a similar
access entry but with a '/' at the start of the url and there was an
error log entry generated. There was a peak in traffic from the server
the day after this log entry which instigated the check. Any suggestions
will be appreciated.
This may be an attack, or a scan for open HTTP proxies.
The log line it self is a request for your server to act as a proxy,
connecting to the URL shown in the logs.
Apache will ignore the 'protocol://host:port' portion of the URL if it is
not set up to do proxing.
just being paranoid
Paranoid is good.