Security Basics mailing list archives
Re: Strange Web Server Log Entries
From: Zapotek <zapotekzsp () gmail com>
Date: Fri, 07 Dec 2007 20:42:15 +0000
You probably have mod_proxy enabled by accident.(You can get a list with the loaded modules using the following: "$ sudo apache2 -M")
The bellow link should help you: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Regards, Zapotek. steve menard wrote:
I would like to NOTE: Ubuntu 7.04 AND My Laptop with Ubuntu 7.10Apache2 my client's untouched Default Apache server on Ubuntu 7.04replies to ANY REQUEST properly phrased stevem@lap:~$ nc -vvv 192.168.36.36 80 server192.local [192.168.36.36] 80 (www) open GET http://www.12.example.com/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="apache2-default/">apache2-default/</a></td><td align="right">20-Nov-2004 16:16 </td><td align="right"> - </td></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="restricted/">restricted/</a></td><td align="right">02-Oct-2007 23:12 </td><td align="right"> - </td></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="squid-reports/">squid-reports/</a></td><td align="right">07-Dec-2007 07:35 </td><td align="right"> - </td></tr> <tr><th colspan="5"><hr></th></tr> </table> <address>Apache/2.2.3 (Ubuntu) PHP/5.2.1 Server at www.12.example.com Port 80</address> </body></html> sent 32, rcvd 1124 stevem@lap:~$ Zapotek wrote:Sean Malloy wrote:Dear List, What do these entries in my Apache logs mean? 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260 61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231 222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0 I am especially confused about the first lines in each set. I interpret it as "client 65.117.101.194 successfully connected to my webserver and requested the page http://www.microsoft.com". It looks like someone is trying to bounce an attack off of my webserver. Should I be worried about these entries?The server only servers static XHTML and CSS pages.What's weird is the response codes. "200 OK" on almost every proxy request, that can't be good. Try: $ nc -vvv your.server.tld 80 your.server.tld [0.0.0.0] 80 (www) open GET http://www.intel.com/ HTTP/1.1 And check out the response yourself. If you get a "400 Bad Request" you're probably safe. .
Current thread:
- Strange Web Server Log Entries Sean Malloy (Dec 06)
- Re: Strange Web Server Log Entries Allan Wind (Dec 07)
- Message not available
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries infolookup (Dec 07)
- Re: Strange Web Server Log Entries Sukbum Hong (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 08)
- Re: Strange Web Server Log Entries Zapotek (Dec 08)
- Re: Strange Web Server Log Entries steve menard (Dec 07)
- <Possible follow-ups>
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)