Re: apache log entry

To: brendan hack <bendy@bendys.com>
Cc: debian-security@lists.debian.org
Subject: Re: apache log entry
From: curtis@palaisroyaldelorme.com
Date: Tue, 23 Oct 2001 15:02:48 -0400
Message-id: <3BD58698.29699.60225C6@localhost>
In-reply-to: <3BC2593A.8070606@bendys.com>

Brendan,
Not sure If you are who I think you are. By chance did you live in 
Virginia and work for Gannon LLc for a short while. If so email me 
back.
Later,
Curtis

On 9 Oct 2001, at 11:56, brendan hack wrote:

> Thanks to Bill and James for your responses. It was a proxy attempt. I 
> set up my mozilla to use the apache server as a proxy and got the same 
> log entries. Luckily though, apache simply returned web pages from the 
> local web site instead of proxying them since the ProxyRequests 
> directive was not on. I've now removed the proxy modules as well, just 
> to be sure (I said I was paranoid).
> 
> thanks,
> 
> brendan
> 
> 
> William R. Ward wrote:
> 
> > brendan hack writes:
> > 
> >>Hi All,
> >>
> >>	I found a strange entry hidden among all the IIS exploit attempts in my 
> >>apache access log today:
> >>
> >>61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET 
> >>http://61.177.66.228:8283/ HTTP/1.0" 200 756
> >>
> >>	Does anyone know if this is some sort of attack attempt? It doesn't seem 
> >>to make any sense as a log entry as there is no leading '/' on the url 
> >>portion and there is no corresponding error log entry saying that the 
> >>file 'http://61.177.66.228:8283/' couldn't be found. I also find the 
> >>fact that the client IP and the url are the same suspicious. I tried 
> >>retrieving the same file myself using mozilla 
> >>(http://webserver/http://61.177.66.228:8283/) and it created a similar 
> >>access entry but with a '/' at the start of the url and there was an 
> >>error log entry generated. There was a peak in traffic from the server 
> >>the day after this log entry which instigated the check. Any suggestions 
> >>will be appreciated.
> >>
> > 
> > Someone's trying to use you as a proxy.  That's what proxy HTTP
> > requests look like.
> > 
> > The "200" code suggests that they succeeded.  Add something like this
> > to your httpd.conf to block these.  (Delete the "allow" part if you
> > don't want proxying at all; if you do, change the IP addresses to
> > whatever is appropriate for your system.)
> > 
> > <Directory proxy:*>
> > 	order deny,allow
> > 	deny from all
> > 	allow from 192.168.0.0/255.255.0.0
> > </Directory>
> > 
> > HTH.
> > 
> > --Bill.
> > 
> > 
> > 
> 
> 
> -- 
> http://www.bendys.com
> bendy@bendys.com
> 
> Real coders celebrate Christmas at Halloween.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


Curtis Brownley
Palais Royal / Yves Delorme
1725 Broadway St.
Charlottesville VA 22902
Phone: 1-800-322-3911 ext:308
Fax: 1-804-977-8962

Reply to:

References:
- Re: apache log entry
  - From: brendan hack <bendy@bendys.com>

Prev by Date: Re: Firewall Related Question
Next by Date: Re: ssh vulernability
Previous by thread: Re: apache log entry
Next by thread: Re: apache log entry
Index(es):
- Date
- Thread