Mike McNamara wrote:
At 11:22 PM +0100 1/30/04, Leo wrote:
True, although that's the way they come out of the CD!
Ah! Sorry... Apache, PHP, mod_perl and the like are some of the things I'll download the source for and always build by hand. I like to know that I can rebuild apache the moment that a patch or a new version is released.
That's wise.
No, not a ton, but a few. May it be some kind of port scan ?
The GET www.yahoo.com one is definitely an attempt at a proxy request. Since you have apache configured not to handle proxy requests, it's probably just your server returning the default apache page and not actually fulfilling the request.
I don't remember defining anywhere a "default" page. I have however defined default file for a directory, but not a default page. Actually, I changed it from the default index.html, to index.php.
Other requests are even stranger like with variables, very long like this:
ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff
%u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"
Stuff like the above are just random hosts searching for common vulnerabilities in IIS servers. My logs are full of such requests. Nothing to worry about as long as you're running apache.
and these are even more suspicious:
atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-" 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"
This is someone looking to capitalize on a buffer overflow exploit for Microsoft's Frontpage Sever Extensions I believe. Again, there's no concern here for you running apache.
Great!
But ProxyRequests of a virtual host basis? o_O How do I find that out? I didn't touch anything that I know of concerning this, that came in the RH9 CDs.
I don't know anything about the default RH httpd.conf file unfortunately. If you only see one ProxyRequests config setting in httpd.conf as you described earlier, you don't have it turned on for any virtual hosts. It also appears to be turned off in general. All of your log entries look pretty normal to me. Originally it appeared as though you might have an open proxy, which would have probably been undesirable!
Yes, there's only one section.
And I did also see the virtual hosts section in the end (it's all commented out).
So then , maybe there's no problem at all.
Thanks.
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
