Re: GET in Access Log File

["S.A.B.R.O. Net Security" <sabronet () indy rr com>]

It appears someone is indeed attemping to use your server as an open 
proxy via the HTTP GET tunnel trick.

This is also common with POST, CONNECT, etc....scan your logs for these 
types of attempts as well.

What's interesting is even though they received a status code of 200 
(Success) in your examples, the two different sites they
attempted to access both returned 1302 bytes....maybe this is your 
server feeding them your index.html and not the external site's page?

Try using the following :

telnet <your server> 80
then type CONNECT some.site.com:80 HTTP/1.0<enter><enter>

If it returns anything other then your index.html or an error status try 
checking out the following :

Check out the Limit option in httpd.conf:

       <Limit GET POST>
               .
               .
               .
       </Limit>

The above, when placed within a <directory /path/to/directory>....
</directory> section,  will only allow GET and POST requests to that
directory and it's sub-directories. Anything else will give the 405(Method
Not Allowed)  response that you see for the CONNECT request.


(Portions snagged from other sources.....kudos to the original authors).

--
Sincerely,


William E. Hoover
S.A.B.R.O. Net Security Admin
www.sabronet.com
sabronet () indy rr com
admin () sabronet com



Tony Barry wrote:

> I dont know if this is a problem or not but I find 
>
> 219.153.5.53 - - [22/Oct/2005:09:51:55 +1300] "GET
> http://www.sc.cninfo.net/ HTTP/1.1" 200 1302 "-"
>
> And
>
> 202.107.233.114 - - [18/Oct/2005:00:54:04 +1300] "GET
> http://www.sina.com.cn/ HTTP/1.1" 200 1302 "-"
>
> in my Apache 2.0 access log. 
>
> Is there some way of preventing people using my server like this?
>
>
>
>