Re: Apache log - what is this?
On Monday 30 December 2002 03:06 pm, Will Aoki wrote:
> On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote:
> > Hello all,
> > I'm seeing the following in my logs (fairly frequently):
> > 126.96.36.199 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 188.8.131.52:6667
> > HTTP/1.0" 405 303 "-" "-" 184.108.40.206 - - [30/Dec/2002:13:31:21 -0500]
> > "POST http://220.127.116.11:6667/ HTTP/1.0" 405 300 "-" "-"
> > (Sorry about the bad wrap)
> > What I think this means is that somebody's trying to relay through my
> > Apache-running server, but is getting 405'd (not available? denied? not
> > sure), but I wanted to check, because I'm still fairly new to Apache.
> > Is this the case, or am I accidentally running a relaying server?
> 18.104.22.168 is trying to proxy through your server in order to use
> IRC. Your server is rejecting the attempt. (405 means 'method not
> A bit of digging shows some interesting information:
> 22.214.171.124 resolves to stephenson.freenode.net, which resolves to the
> same IP.
> Some poking around http://freenode.net/ indicates it's an IRC network.
> http://freenode.net/irc_servers.shtml lists a bunch of IRC servers, one
> of which is calvino.freenode.net.
> 126.96.36.199, the IP 188.8.131.52 was trying to proxy through you to,
> resolves to calvino.freenode.net which resolves back to the same IP.
> http://freenode.net/policy.shtml indicates that they automatically check
> machines that connect to their network to see if they're running open
> You aren't, perchance, IRCing from the machine you're seeing these log
> entries on? It might be an automated test to keep people from connecting
> through open proxies.
This, in fact, happens every time someone connects to irc.debian.org (as
#debian is hosted by freenode)