Security Basics mailing list archives
Re: GET in Access Log File
From: "S.A.B.R.O. Net Security" <sabronet () indy rr com>
Date: Tue, 25 Oct 2005 09:53:28 -0500
It appears someone is indeed attemping to use your server as an open proxy via the HTTP GET tunnel trick.
This is also common with POST, CONNECT, etc....scan your logs for these types of attempts as well.
What's interesting is even though they received a status code of 200 (Success) in your examples, the two different sites they attempted to access both returned 1302 bytes....maybe this is your server feeding them your index.html and not the external site's page?
Try using the following : telnet <your server> 80 then type CONNECT some.site.com:80 HTTP/1.0<enter><enter>If it returns anything other then your index.html or an error status try checking out the following :
Check out the Limit option in httpd.conf: <Limit GET POST> . . . </Limit> The above, when placed within a <directory /path/to/directory>.... </directory> section, will only allow GET and POST requests to that directory and it's sub-directories. Anything else will give the 405(Method Not Allowed) response that you see for the CONNECT request. (Portions snagged from other sources.....kudos to the original authors). -- Sincerely, William E. Hoover S.A.B.R.O. Net Security Admin www.sabronet.com sabronet () indy rr com admin () sabronet com Tony Barry wrote:
I dont know if this is a problem or not but I find219.153.5.53 - - [22/Oct/2005:09:51:55 +1300] "GET http://www.sc.cninfo.net/ HTTP/1.1" 200 1302 "-" And 202.107.233.114 - - [18/Oct/2005:00:54:04 +1300] "GET http://www.sina.com.cn/ HTTP/1.1" 200 1302 "-"in my Apache 2.0 access log.Is there some way of preventing people using my server like this?
Current thread:
- GET in Access Log File Tony Barry (Oct 24)
- Re: GET in Access Log File ilaiy (Oct 24)
- Re: GET in Access Log File S.A.B.R.O. Net Security (Oct 25)
- Re: GET in Access Log File Tony Barry (Oct 26)
- Re: GET in Access Log File Alexander Klimov (Oct 26)