Security Basics mailing list archives
Re: Strange Web Server Log Entries
From: Sean Malloy <spinelli85 () gmail com>
Date: Fri, 7 Dec 2007 02:36:18 -0600
On Fri, Dec 07, 2007 at 03:00:01AM -0500, J-Michael Roberts wrote:
They are attepting to locate a proxy - likely for the purposes of sending spam. According to the logs, they successfully retrieved the Microsoft webpage via your server - you you might want to close that up. Fortunately, attempts to make ssl connections or to post messages to port 25 (mail) failed. Unless you want to help people cover their tracks and make it look like you were visiting places that you were not, you definitely want to turn that proxying ability OFF in your apache configuration. -J
I don't think I have proxying turned on for Apache. Of course I could be wrong. Here is the proxy section from httpd.conf (They are all commented and always have been). # # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # #<IfModule mod_proxy.c> #ProxyRequests On # #<Directory proxy:*> # Order deny,allow # Deny from all # Allow from .your_domain.com #</Directory> # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: # headers) # Set to one of: Off | On | Full | Block # #ProxyVia On # # To enable the cache as well, edit and uncomment the following lines: # (no cacheing without CacheRoot) # #CacheRoot "/var/www/proxy" #CacheSize 5 #CacheGcInterval 4 #CacheMaxExpire 24 #CacheLastModifiedFactor 0.1 #CacheDefaultExpire 1 #NoCache a_domain.com another_domain.edu joes.garage_sale.com #</IfModule> # End of proxy directives. server$ httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c mod_keynote.c mod_ssl.c suexec: disabled; invalid wrapper /usr/sbin/suexec These lines in httpd.conf seem to indicate that the proxy module is not loaded. (They are commented and always have been.) # caching proxy # LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
Sean Malloy wrote:Dear List, What do these entries in my Apache logs mean? 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260 61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231 222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770 89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0 I am especially confused about the first lines in each set. I interpret it as "client 65.117.101.194 successfully connected to my webserver and requested the page http://www.microsoft.com". It looks like someone is trying to bounce an attack off of my webserver. Should I be worried about these entries? The server only servers static XHTML and CSS pages.
-- Sean Malloy Home Page: www.catgrepsort.com
Current thread:
- Strange Web Server Log Entries Sean Malloy (Dec 06)
- Re: Strange Web Server Log Entries Allan Wind (Dec 07)
- Message not available
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries infolookup (Dec 07)
- Re: Strange Web Server Log Entries Sukbum Hong (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 08)
- Re: Strange Web Server Log Entries Zapotek (Dec 08)
- Re: Strange Web Server Log Entries steve menard (Dec 07)