Re: Strange Web Server Log Entries

[Sean Malloy <spinelli85 () gmail com>]

On Fri, Dec 07, 2007 at 03:00:01AM -0500, J-Michael Roberts wrote:
> They are attepting to locate a proxy - likely for the purposes of 
> sending spam.
>
> According to the logs, they successfully retrieved the Microsoft webpage 
> via your server - you you might want to close that up.  Fortunately, 
> attempts to make ssl connections or to post messages to port 25 (mail) 
> failed.
>
> Unless you want to help people cover their tracks and make it look like 
> you were visiting places that you were not, you definitely want to turn 
> that proxying ability OFF in your apache configuration.
>
> -J

I don't think I have proxying turned on for Apache. Of course I could be
wrong. Here is the proxy section from httpd.conf (They are all
commented and always have been).

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Directory proxy:*>
#    Order deny,allow
#    Deny from all
#    Allow from .your_domain.com
#</Directory>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via:
# headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On

#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/var/www/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com

#</IfModule>
# End of proxy directives.

server$ httpd -l
Compiled-in modules:
  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_access.c
  mod_auth.c
  mod_so.c
  mod_setenvif.c
  mod_keynote.c
  mod_ssl.c
suexec: disabled; invalid wrapper /usr/sbin/suexec

These lines in httpd.conf seem to indicate that the proxy module is not
loaded. (They are commented and always have been.)

# caching proxy
# LoadModule proxy_module       /usr/lib/apache/modules/libproxy.so


> Sean Malloy wrote:
> > Dear List,
> >
> > What do these entries in my Apache logs mean?
> >
> > 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET 
> > http://www.microsoft.com/ HTTP/1.0" 200 2770
> > 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST 
> > http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
> > 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT 
> > http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260
> >
> > 61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ 
> > HTTP/1.1" 200 2903
> > 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 
> > HTTP/1.0" 405 231
> >
> > 222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET 
> > http://www.intel.com/ HTTP/1.1" 200 2770
> >
> > 222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET 
> > http://www.intel.com/ HTTP/1.1" 200 2770
> >
> > 219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ 
> > HTTP/1.1" 200 2770
> >
> > 89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ 
> > HTTP/1.1" 200 0
> >
> > I am especially confused about the first lines in each set. I interpret it 
> > as "client
> > 65.117.101.194 successfully connected to my webserver and requested the 
> > page
> > http://www.microsoft.com";. It looks like someone is trying to bounce an
> > attack off of my webserver. Should I be worried about these entries?
> >
> > The server only servers static XHTML and CSS pages. 
> >  

-- 
Sean Malloy
Home Page: www.catgrepsort.com