Re: apache weird GET

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Mike McNamara wrote:

At 5:54 PM +0100 1/30/04, Leo wrote:

Have these lines in the config:


LoadModule proxy_module modules/mod_proxy.so


I wouldn't even load the module unless you need the functionality FWIW! From a security perspective, I'd personally only enable what modules you actually need and use.


True, although that's the way they come out of the CD!



# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
#    Order deny,allow
#    Deny from all
#    Allow from .your-domain.com
#</Proxy>


I guess they're trying without success ?


Your log indicates an http response code of 200 -- which means no error conditions. It looks to me like the proxy request was probably a success. If you're seeing a ton of these, I'd work on the assumption that your box is being used as an http proxy.



No, not a ton, but a few. May it be some kind of port scan ? Other requests are even stranger like with variables, very long like this:


ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff %u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"


or these (well, this one is quite obvious):



crawler14.googlebot.com - - [25/Jan/2004:13:27:43 +0100] "GET /robots.txt HTTP/1.0" 404 1088 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" crawler14.googlebot.com - - [25/Jan/2004:13:27:44 +0100] "GET / HTTP/1.0" 200 6840 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"


and these are even more suspicious:



atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-" 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"

Sometimes when I connect to IRC, I get this:

freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100]
"CONNECT 130.239.18.160:802 HTTP/1.0" 405 1010 "-" "-"
freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "POST
http://130.239.18.160:802/ HTTP/1.0" 200 6840 "-" "-"


That's why I said they may be port scans.





Could it mean something else?


Never say never, but I don't think so. It is possible that your copy of apache is using another httpd.conf file than the one that you're looking at? Perhaps you've enabled ProxyRequests on a virtual host basis? Those are the first 2 thoughts that pop into my head.


The config file used is the one I edit, that's for sure.


But ProxyRequests of a virtual host basis?  o_O
How do I find that out? I didn't touch anything that I know of
concerning this, that came in the RH9 CDs.


Thanks.







-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux