Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Web Server Log Entries

From: Zapotek <zapotekzsp () gmail com>
Date: Fri, 07 Dec 2007 20:42:15 +0000
You probably have mod_proxy enabled by accident.
(You can get a list with the loaded modules using the following: "$ sudo apache2 -M") 

The bellow link should help you:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Regards,
Zapotek.

steve menard wrote:

I would like to NOTE:
Ubuntu 7.04 AND My Laptop with Ubuntu 7.10
Apache2 my client's untouched Default Apache server on Ubuntu 7.04 
replies to ANY REQUEST properly phrased

stevem@lap:~$ nc -vvv 192.168.36.36 80
server192.local [192.168.36.36] 80 (www) open
GET http://www.12.example.com/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last
modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a
href="apache2-default/">apache2-default/</a></td><td
align="right">20-Nov-2004 16:16  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="restricted/">restricted/</a></td><td
align="right">02-Oct-2007 23:12  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="squid-reports/">squid-reports/</a></td><td
align="right">07-Dec-2007 07:35  </td><td align="right">  - </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.2.3 (Ubuntu) PHP/5.2.1 Server at www.12.example.com
Port 80</address>
</body></html>
 sent 32, rcvd 1124
stevem@lap:~$


Zapotek wrote:

Sean Malloy wrote:

Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET
http://www.microsoft.com/ HTTP/1.0" 200 2770
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2903
61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT
www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD
http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I
interpret it as "client
65.117.101.194 successfully connected to my webserver and requested
the page
http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?
The server only servers static XHTML and CSS pages. 
What's weird is the response codes.
"200 OK" on almost every proxy request, that can't be good.
Try:
$ nc -vvv your.server.tld 80
your.server.tld [0.0.0.0] 80 (www) open
GET http://www.intel.com/ HTTP/1.1


And check out the response yourself.
If you get a "400 Bad Request" you're probably safe.
.
Previous By Date Next
Previous By Thread Next

Current thread: