Security Basics mailing list archives
Re: Strange Web Server Log Entries
From: "Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH" <Jason () TechDude Ca>
Date: Thu, 6 Dec 2007 20:23:29 -0500
Hello,Logs are always interesting to review. It does look like the 1st HTTP GET request returned the page requested, and it did; however, your frame of context is incorrect. You should review your server's virtual hosting configuration. I'm sure you will have a default "*" (all) virtual host. The request for http://www.microsoft.com/ will serve your site's root page (/index.html).
The other requests seem to be an attacker checking to see if your server is an open-proxy. The 400 series return (error) codes are a good sign that your server is not.
Regards, -- Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/ On 6-Dec-07, at 4:24 PM, Sean Malloy wrote:
Dear List, What do these entries in my Apache logs mean?65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 26061.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 277089.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0I am especially confused about the first lines in each set. I interpret it as "client 65.117.101.194 successfully connected to my webserver and requested the page http://www.microsoft.com". It looks like someone is trying to bounce anattack off of my webserver. Should I be worried about these entries? The server only servers static XHTML and CSS pages. -- Sean Malloy Home Page: www.catgrepsort.com
Current thread:
- Strange Web Server Log Entries Sean Malloy (Dec 06)
- Re: Strange Web Server Log Entries Allan Wind (Dec 07)
- Message not available
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries infolookup (Dec 07)
- Re: Strange Web Server Log Entries Sukbum Hong (Dec 07)
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
- Re: Strange Web Server Log Entries steve menard (Dec 08)
- Re: Strange Web Server Log Entries Zapotek (Dec 08)
- Re: Strange Web Server Log Entries steve menard (Dec 07)