Mike McNamara wrote:
At 5:54 PM +0100 1/30/04, Leo wrote:
Have these lines in the config:
LoadModule proxy_module modules/mod_proxy.so
I wouldn't even load the module unless you need the functionality FWIW! From a security perspective, I'd personally only enable what modules you actually need and use.
True, although that's the way they come out of the CD!
# Proxy Server directives. Uncomment the following lines to # enable the proxy server: # #<IfModule mod_proxy.c> #ProxyRequests On # #<Proxy *> # Order deny,allow # Deny from all # Allow from .your-domain.com #</Proxy>
I guess they're trying without success ?
Your log indicates an http response code of 200 -- which means no error conditions. It looks to me like the proxy request was probably a success. If you're seeing a ton of these, I'd work on the assumption that your box is being used as an http proxy.
No, not a ton, but a few. May it be some kind of port scan ? Other requests are even stranger like with variables, very long like this:
ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff %u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"
or these (well, this one is quite obvious):
crawler14.googlebot.com - - [25/Jan/2004:13:27:43 +0100] "GET /robots.txt HTTP/1.0" 404 1088 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" crawler14.googlebot.com - - [25/Jan/2004:13:27:44 +0100] "GET / HTTP/1.0" 200 6840 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
and these are even more suspicious:
atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-" 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"
Sometimes when I connect to IRC, I get this:
freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "CONNECT 130.239.18.160:802 HTTP/1.0" 405 1010 "-" "-" freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "POST http://130.239.18.160:802/ HTTP/1.0" 200 6840 "-" "-"
That's why I said they may be port scans.
Could it mean something else?
Never say never, but I don't think so. It is possible that your copy of apache is using another httpd.conf file than the one that you're looking at? Perhaps you've enabled ProxyRequests on a virtual host basis? Those are the first 2 thoughts that pop into my head.
The config file used is the one I edit, that's for sure.
But ProxyRequests of a virtual host basis? o_O How do I find that out? I didn't touch anything that I know of concerning this, that came in the RH9 CDs.
Thanks.
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
