Security Basics mailing list archives

Re: Strange Web Server Log Entries

From: "Sukbum Hong" <antihong () tt co kr>
Date: Fri, 7 Dec 2007 09:58:26 +0900

Hello Sean Malloy.

Did you enable the forward proxy function?
It is a proxy attempt using your webserver.

If don't use forward proxy, set the ProxyRequests Off.
If you must set ProxyRequests on, set like below.

<Proxy *>
    Order deny,allow
    Deny from all
    Allow from 192.168.1.3 
</Proxy>

But, according to your log, you didn't set ProxyRequests On.

please see below link for more info.
http://httpd.apache.org/docs/1.3/mod/mod_proxy.html


Thanks.



----- Original Message ----- 
From: "Sean Malloy" <spinelli85 () gmail com>
To: <security-basics () securityfocus com>
Sent: Friday, December 07, 2007 6:24 AM
Subject: Strange Web Server Log Entries

Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903
61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I interpret it as "client
65.117.101.194 successfully connected to my webserver and requested the page
http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages. 
-- 
Sean Malloy
Home Page: www.catgrepsort.com

Current thread:

Strange Web Server Log Entries Sean Malloy (Dec 06)
- Re: Strange Web Server Log Entries Allan Wind (Dec 07)
- Message not available
  - Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH (Dec 07)
  - Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries infolookup (Dec 07)
- Re: Strange Web Server Log Entries Sukbum Hong (Dec 07)
  - Re: Strange Web Server Log Entries Sean Malloy (Dec 07)
- Re: Strange Web Server Log Entries Zapotek (Dec 07)
  - Re: Strange Web Server Log Entries steve menard (Dec 07)
    - Re: Strange Web Server Log Entries Zapotek (Dec 07)
    - Re: Strange Web Server Log Entries steve menard (Dec 08)
    - Re: Strange Web Server Log Entries Zapotek (Dec 08)
- Re: Strange Web Server Log Entries 0x90 (Dec 07)
- <Possible follow-ups>
- Re: Strange Web Server Log Entries Sean Malloy (Dec 07)