Home page logo

basics logo Security Basics mailing list archives

Re: Strange Web Server Log Entries
From: steve menard <nospam () dranem org>
Date: Fri, 07 Dec 2007 20:57:15 -0400

Don't see mod_proxy

stevem () lap:/home/stevem# sudo apache2 -M
apache2: apr_sockaddr_info_get() failed for lap.local
apache2: Could not reliably determine the server's fully qualified
domain name, using for ServerName
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 setenvif_module (shared)
 status_module (shared)
Syntax OK

Zapotek wrote:
You probably have mod_proxy enabled by accident.
(You can get a list with the loaded modules using the following: "$
sudo apache2 -M")

The bellow link should help you:


steve menard wrote:
I would like to NOTE:
Ubuntu 7.04 AND My Laptop with Ubuntu 7.10
Apache2 my client's untouched Default Apache server on Ubuntu 7.04
replies to ANY REQUEST properly phrased

stevem () lap:~$ nc -vvv 80
server192.local [] 80 (www) open
GET http://www.12.example.com/
  <title>Index of /</title>
<h1>Index of /</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last
modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a
<tr><td valign="top"><img src="/icons/folder.gif"
align="right">20-Nov-2004 16:16  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="restricted/">restricted/</a></td><td
align="right">02-Oct-2007 23:12  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="squid-reports/">squid-reports/</a></td><td
align="right">07-Dec-2007 07:35  </td><td align="right">  - </td></tr>
<tr><th colspan="5"><hr></th></tr>
<address>Apache/2.2.3 (Ubuntu) PHP/5.2.1 Server at www.12.example.com
Port 80</address>
 sent 32, rcvd 1124
stevem () lap:~$

Zapotek wrote:
Sean Malloy wrote:
Dear List,

What do these entries in my Apache logs mean? - - [20/Nov/2007:09:25:39 -0600] "GET
http://www.microsoft.com/ HTTP/1.0" 200 2770 - - [20/Nov/2007:09:25:39 -0600] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 - - [20/Nov/2007:09:25:39 -0600] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260 - - [08/Sep/2007:13:24:03 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2903 - - [08/Sep/2007:13:24:07 -0500] "CONNECT
www.google.com:443 HTTP/1.0" 405 231 - - [27/Oct/2007:13:57:45 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770 - - [28/Oct/2007:04:30:05 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770 - - [28/Oct/2007:12:49:02 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770 - - [21/Nov/2007:12:42:36 -0600] "HEAD
http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I
interpret it as "client successfully connected to my webserver and requested
the page
http://www.microsoft.com";. It looks like someone is trying to
bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages. 
What's weird is the response codes.
"200 OK" on almost every proxy request, that can't be good.
$ nc -vvv your.server.tld 80
your.server.tld [] 80 (www) open
GET http://www.intel.com/ HTTP/1.1

And check out the response yourself.
If you get a "400 Bad Request" you're probably safe.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]