[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache config question - China IP's

Kevin Coyner wrote:

On Mon, Feb 20, 2006 at 09:41:42PM -0600, Jacob S wrote...... - - [20/Feb/2006:16:17:10 -0500] "GET
http://1-shops.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b HTTP/1.1"
404 288 "http://www.google.com/intl/en-us/"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)"

So what is this?  They are not requesting pages that exist on my
server, but pages on other domains.  My server gives the proper
error code back - 404.
They're looking for open proxies. People that are lazy in
loading/configuring mod_proxy in apache can easily turn a
webserver into an open proxy. So they scan for one, similar to the
way we've all seen attempts at finding open smtp gateways or
easily crackable ssh passwords.

So aside from setting up some iptables 'drop' rules, is there any
other way from keeping this from occuring?  It's messing up my web
stats since these guys are requesting more non-existent pages that I
have real pages on the website.

You could exploit the fact that they're trying to access nonexistent domain names on your system by setting up your default virtual host to redirect them elsewhere (such as http://blackhole-1.iana.org/ or http://localhost/).

Or if they're really using a crawler called "Crazy Bowser" you could pretty easily block them with BrowserMatch in Apache. Sorry I don't remember what the exact line should be, but spending a few minutes at http://httpd.apache.org/docs/ should help.

Using your firewall is probably the best way of blocking such traffic, but as a fellow sysadmin I understand that blocking entire IP ranges isn't really appealing.

Michael Schurter

Reply to: