Re: apache weird GET

[Roger Beever <roger2 rogernet net>]

On Fri, 2004-01-30 at 22:22, Leo wrote:
> Mike McNamara wrote:
> 
> > At 5:54 PM +0100 1/30/04, Leo wrote:
> >
> >> Have these lines in the config:
> >>
> >>
> >> LoadModule proxy_module modules/mod_proxy.so
> >
> >
> > I wouldn't even load the module unless you need the functionality 
> > FWIW!  From a security perspective, I'd personally only enable what 
> > modules you actually need and use.
> 
> 
> True, although that's the way they come out of the CD!
> 
> 
> >
> >> # Proxy Server directives. Uncomment the following lines to
> >> # enable the proxy server:
> >> #
> >> #<IfModule mod_proxy.c>
> >> #ProxyRequests On
> >> #
> >> #<Proxy *>
> >> #    Order deny,allow
> >> #    Deny from all
> >> #    Allow from .your-domain.com
> >> #</Proxy>
> >
> >
> >> I guess they're trying without success ?
> >
> >
> > Your log indicates an http response code of 200 -- which means no 
> > error conditions.  It looks to me like the proxy request was probably 
> > a success.  If you're seeing a ton of these, I'd work on the 
> > assumption that your box is being used as an http proxy.
> 
> 
> 
> No, not a ton, but a few. May it be some kind of port scan ?
> Other requests are even stranger like with variables, very long like this:
> 
> 
> ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff
> %u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"
> 
> 
> or these (well, this one is quite obvious):
> 
> 
> crawler14.googlebot.com - - [25/Jan/2004:13:27:43 +0100] "GET
> /robots.txt HTTP/1.0" 404 1088 "-" "Googlebot/2.1
> (+http://www.googlebot.com/bot.html)"
> crawler14.googlebot.com - - [25/Jan/2004:13:27:44 +0100] "GET /
> HTTP/1.0" 200 6840 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
> 
> 
> and these are even more suspicious:
> 
> 
> atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST
> /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-"
> 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT
> 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"
> 
> Sometimes when I connect to IRC, I get this:
> 
> freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100]
> "CONNECT 130.239.18.160:802 HTTP/1.0" 405 1010 "-" "-"
> freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "POST
> http://130.239.18.160:802/ HTTP/1.0" 200 6840 "-" "-"
> 
> 
> That's why I said they may be port scans.
> 
> 
> 
> >
> >> Could it mean something else?
> >
> >
> > Never say never, but I don't think so.  It is possible that your copy 
> > of apache is using another httpd.conf file than the one that you're 
> > looking at?  Perhaps you've enabled ProxyRequests on a virtual host 
> > basis?  Those are the first 2 thoughts that pop into my head.
> >
> 
> The config file used is the one I edit, that's for sure.
> 
> But ProxyRequests of a virtual host basis?  o_O
> How do I find that out? I didn't touch anything that I know of
> concerning this, that came in the RH9 CDs.
> 
> 
> Thanks.
These are starting to look like the checks done to look for weak points
on Windows machines. The Defult IDA is a classic.
I actually made a page saying "is this hat you were looking for" to save
entries in the error log when the page was not found.
Regards Roger