[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache config question - China IP's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 20 Feb 2006 16:28:20 -0500
Kevin Coyner <kevin@rustybear.com> wrote:

> 
> I've been watching the apache logs on a website I work on and have
> seen strange entries recently.  They are in Combined form, and here
> is a snippet:
> 
> 221.226.124.109 - - [20/Feb/2006:16:17:10 -0500] "GET
> http://1-shops.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b HTTP/1.1" 404
> 288 "http://www.google.com/intl/en-us/"; "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)"
> 
> 
> I interpret this as follows:
> 
> Client IP:
>     221.226.124.109
> 
> Page attempted:
>     http://1-shops.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b
> 
> HTTP error code:
>     404
> 
> 
> Now the server I work on is in the IP range 64.34.x.x, and has
> nothing to do with 1-shops.com.   And the client - 221.226.124.109 -
> that is hitting on my Apache server can be traced back to China.
> 
> So what is this?  They are not requesting pages that exist on my
> server, but pages on other domains.  My server gives the proper
> error code back - 404.
> 
> I normally wouldn't worry about this, but in the last month these
> types of entries have increased dramatically, with most of them
> originating from IP's in China.

They're looking for open proxies. People that are lazy in
loading/configuring mod_proxy in apache can easily turn a webserver
into an open proxy. So they scan for one, similar to the way we've all
seen attempts at finding open smtp gateways or easily crackable ssh
passwords.

HTH,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+ov5kpJ43hY3cTURAqk7AJ9t6c84wtoEbYb0udKlnbCAtKPESQCdGDo0
fGnnK8qDa1Xe2eDdEcR5VI4=
=L1Nc
-----END PGP SIGNATURE-----
Reply to: