[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache log entry

At 10:08 2001-10-09 +1000, brendan hack wrote:

Hi All,
I found a strange entry hidden among all the IIS exploit attempts in my apache access log today:
61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET http://61.177.66.228:8283/ HTTP/1.0" 200 756
Does anyone know if this is some sort of attack attempt? It doesn't seem to make any sense as a log entry as there is no leading '/' on the url portion and there is no corresponding error log entry saying that the file 'http://61.177.66.228:8283/' couldn't be found. I also find the fact that the client IP and the url are the same suspicious. I tried retrieving the same file myself using mozilla (http://webserver/http://61.177.66.228:8283/) and it created a similar access entry but with a '/' at the start of the url and there was an error log entry generated. There was a peak in traffic from the server the day after this log entry which instigated the check. Any suggestions will be appreciated. 

This may be an attack, or a scan for open HTTP proxies.
The log line it self is a request for your server to act as a proxy, connecting to the URL shown in the logs. Apache will ignore the 'protocol://host:port' portion of the URL if it is not set up to do proxing. 


just being paranoid


Paranoid is good.
Reply to: