brendan hack writes:
Hi All,
I found a strange entry hidden among all the IIS exploit attempts in my
apache access log today:
61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET
http://61.177.66.228:8283/ HTTP/1.0" 200 756
Does anyone know if this is some sort of attack attempt? It doesn't seem
to make any sense as a log entry as there is no leading '/' on the url
portion and there is no corresponding error log entry saying that the
file 'http://61.177.66.228:8283/' couldn't be found. I also find the
fact that the client IP and the url are the same suspicious. I tried
retrieving the same file myself using mozilla
(http://webserver/http://61.177.66.228:8283/) and it created a similar
access entry but with a '/' at the start of the url and there was an
error log entry generated. There was a peak in traffic from the server
the day after this log entry which instigated the check. Any suggestions
will be appreciated.
Someone's trying to use you as a proxy. That's what proxy HTTP
requests look like.
The "200" code suggests that they succeeded. Add something like this
to your httpd.conf to block these. (Delete the "allow" part if you
don't want proxying at all; if you do, change the IP addresses to
whatever is appropriate for your system.)
<Directory proxy:*>
order deny,allow
deny from all
allow from 192.168.0.0/255.255.0.0
</Directory>
HTH.
--Bill.