[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: apache weird GET

From: Leo <champen terra es>
To: redhat-list redhat com
Subject: Re: apache weird GET
Date: Fri Jan 30 17:17:11 2004

Mike McNamara wrote:

At 5:54 PM +0100 1/30/04, Leo wrote:

Have these lines in the config:

LoadModule proxy_module modules/mod_proxy.so

I wouldn't even load the module unless you need the functionality FWIW! From a security perspective, I'd personally only enable what modules you actually need and use.

True, although that's the way they come out of the CD!

# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
#    Order deny,allow
#    Deny from all
#    Allow from .your-domain.com
#</Proxy>
I guess they're trying without success ?

Your log indicates an http response code of 200 -- which means no error conditions. It looks to me like the proxy request was probably a success. If you're seeing a ton of these, I'd work on the assumption that your box is being used as an http proxy.


No, not a ton, but a few. May it be some kind of port scan ?
Other requests are even stranger like with variables, very long like this:


ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff
%u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"

or these (well, this one is quite obvious):


crawler14.googlebot.com - - [25/Jan/2004:13:27:43 +0100] "GET
/robots.txt HTTP/1.0" 404 1088 "-" "Googlebot/2.1
(+http://www.googlebot.com/bot.html)"
crawler14.googlebot.com - - [25/Jan/2004:13:27:44 +0100] "GET /
HTTP/1.0" 200 6840 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

and these are even more suspicious:


atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-"
211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT
207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"

Sometimes when I connect to IRC, I get this:

freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100]
"CONNECT 130.239.18.160:802 HTTP/1.0" 405 1010 "-" "-"
freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "POST
http://130.239.18.160:802/ HTTP/1.0" 200 6840 "-" "-"

That's why I said they may be port scans.

Could it mean something else?

Never say never, but I don't think so. It is possible that your copy of apache is using another httpd.conf file than the one that you're looking at? Perhaps you've enabled ProxyRequests on a virtual host basis? Those are the first 2 thoughts that pop into my head.

The config file used is the one I edit, that's for sure.

But ProxyRequests of a virtual host basis?  o_O
How do I find that out? I didn't touch anything that I know of
concerning this, that came in the RH9 CDs.

Thanks.

Follow-Ups:
- Re: apache weird GET
  - From: Roger Beever
- Re: apache weird GET
  - From: Mike McNamara

References:
- apache weird GET
  - From: Leo
- Re: apache weird GET
  - From: Mike McNamara
- Re: apache weird GET
  - From: Leo
- Re: apache weird GET
  - From: Mike McNamara

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]