[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache log entry

Thanks to Bill and James for your responses. It was a proxy attempt. I set up my mozilla to use the apache server as a proxy and got the same log entries. Luckily though, apache simply returned web pages from the local web site instead of proxying them since the ProxyRequests directive was not on. I've now removed the proxy modules as well, just to be sure (I said I was paranoid). 

thanks,

brendan


William R. Ward wrote:


brendan hack writes:


Hi All,
I found a strange entry hidden among all the IIS exploit attempts in my apache access log today:
61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET http://61.177.66.228:8283/ HTTP/1.0" 200 756
Does anyone know if this is some sort of attack attempt? It doesn't seem to make any sense as a log entry as there is no leading '/' on the url portion and there is no corresponding error log entry saying that the file 'http://61.177.66.228:8283/' couldn't be found. I also find the fact that the client IP and the url are the same suspicious. I tried retrieving the same file myself using mozilla (http://webserver/http://61.177.66.228:8283/) and it created a similar access entry but with a '/' at the start of the url and there was an error log entry generated. There was a peak in traffic from the server the day after this log entry which instigated the check. Any suggestions will be appreciated. 



Someone's trying to use you as a proxy.  That's what proxy HTTP
requests look like.

The "200" code suggests that they succeeded.  Add something like this
to your httpd.conf to block these.  (Delete the "allow" part if you
don't want proxying at all; if you do, change the IP addresses to
whatever is appropriate for your system.)

<Directory proxy:*>
	order deny,allow
	deny from all
	allow from 192.168.0.0/255.255.0.0
</Directory>

HTH.

--Bill.






--
http://www.bendys.com
bendy@bendys.com

Real coders celebrate Christmas at Halloween.
Reply to: