On Fri, 2004-01-30 at 22:22, Leo wrote: > Mike McNamara wrote: > > > At 5:54 PM +0100 1/30/04, Leo wrote: > > > >> Have these lines in the config: > >> > >> > >> LoadModule proxy_module modules/mod_proxy.so > > > > > > I wouldn't even load the module unless you need the functionality > > FWIW! From a security perspective, I'd personally only enable what > > modules you actually need and use. > > > True, although that's the way they come out of the CD! > > > > > >> # Proxy Server directives. Uncomment the following lines to > >> # enable the proxy server: > >> # > >> #<IfModule mod_proxy.c> > >> #ProxyRequests On > >> # > >> #<Proxy *> > >> # Order deny,allow > >> # Deny from all > >> # Allow from .your-domain.com > >> #</Proxy> > > > > > >> I guess they're trying without success ? > > > > > > Your log indicates an http response code of 200 -- which means no > > error conditions. It looks to me like the proxy request was probably > > a success. If you're seeing a ton of these, I'd work on the > > assumption that your box is being used as an http proxy. > > > > No, not a ton, but a few. May it be some kind of port scan ? > Other requests are even stranger like with variables, very long like this: > > > ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff > %u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-" > > > or these (well, this one is quite obvious): > > > crawler14.googlebot.com - - [25/Jan/2004:13:27:43 +0100] "GET > /robots.txt HTTP/1.0" 404 1088 "-" "Googlebot/2.1 > (+http://www.googlebot.com/bot.html)" > crawler14.googlebot.com - - [25/Jan/2004:13:27:44 +0100] "GET / > HTTP/1.0" 200 6840 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" > > > and these are even more suspicious: > > > atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST > /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-" > 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT > 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-" > > Sometimes when I connect to IRC, I get this: > > freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] > "CONNECT 130.239.18.160:802 HTTP/1.0" 405 1010 "-" "-" > freenode-proxyscanner.acc.umu.se - - [28/Jan/2004:19:32:11 +0100] "POST > http://130.239.18.160:802/ HTTP/1.0" 200 6840 "-" "-" > > > That's why I said they may be port scans. > > > > > > >> Could it mean something else? > > > > > > Never say never, but I don't think so. It is possible that your copy > > of apache is using another httpd.conf file than the one that you're > > looking at? Perhaps you've enabled ProxyRequests on a virtual host > > basis? Those are the first 2 thoughts that pop into my head. > > > > The config file used is the one I edit, that's for sure. > > But ProxyRequests of a virtual host basis? o_O > How do I find that out? I didn't touch anything that I know of > concerning this, that came in the RH9 CDs. > > > Thanks. These are starting to look like the checks done to look for weak points on Windows machines. The Defult IDA is a classic. I actually made a page saying "is this hat you were looking for" to save entries in the error log when the page was not found. Regards Roger -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
