Re: Apache log - what is this?
On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote:
> Hello all,
>
> I'm seeing the following in my logs (fairly frequently):
>
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0" 405 303 "-" "-"
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ HTTP/1.0" 405 300 "-" "-"
>
> (Sorry about the bad wrap)
>
> What I think this means is that somebody's trying to relay through my
> Apache-running server, but is getting 405'd (not available? denied? not
> sure), but I wanted to check, because I'm still fairly new to Apache.
>
> Is this the case, or am I accidentally running a relaying server?
66.140.25.156 is trying to proxy through your server in order to use
IRC. Your server is rejecting the attempt. (405 means 'method not
allowed'.)
A bit of digging shows some interesting information:
66.140.25.156 resolves to stephenson.freenode.net, which resolves to the
same IP.
Some poking around http://freenode.net/ indicates it's an IRC network.
http://freenode.net/irc_servers.shtml lists a bunch of IRC servers, one
of which is calvino.freenode.net.
213.92.8.4, the IP 66.140.25.156 was trying to proxy through you to,
resolves to calvino.freenode.net which resolves back to the same IP.
http://freenode.net/policy.shtml indicates that they automatically check
machines that connect to their network to see if they're running open
proxies.
You aren't, perchance, IRCing from the machine you're seeing these log
entries on? It might be an automated test to keep people from connecting
through open proxies.
--
William Aoki waoki@umnh.utah.edu /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change \ / No HTML in mail or news!
99AF A093 29AE 0AE1 9734 prev. expired X
/ \
Reply to: