Home page logo
/

basics logo Security Basics mailing list archives

Re: Strange Web Server Log Entries
From: Sean Malloy <spinelli85 () gmail com>
Date: Fri, 7 Dec 2007 02:36:18 -0600

On Fri, Dec 07, 2007 at 03:00:01AM -0500, J-Michael Roberts wrote:
They are attepting to locate a proxy - likely for the purposes of 
sending spam.

According to the logs, they successfully retrieved the Microsoft webpage 
via your server - you you might want to close that up.  Fortunately, 
attempts to make ssl connections or to post messages to port 25 (mail) 
failed.

Unless you want to help people cover their tracks and make it look like 
you were visiting places that you were not, you definitely want to turn 
that proxying ability OFF in your apache configuration.

-J


I don't think I have proxying turned on for Apache. Of course I could be
wrong. Here is the proxy section from httpd.conf (They are all
commented and always have been).

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Directory proxy:*>
#    Order deny,allow
#    Deny from all
#    Allow from .your_domain.com
#</Directory>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via:
# headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On

#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/var/www/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com

#</IfModule>
# End of proxy directives.

server$ httpd -l
Compiled-in modules:
  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_access.c
  mod_auth.c
  mod_so.c
  mod_setenvif.c
  mod_keynote.c
  mod_ssl.c
suexec: disabled; invalid wrapper /usr/sbin/suexec

These lines in httpd.conf seem to indicate that the proxy module is not
loaded. (They are commented and always have been.)

# caching proxy
# LoadModule proxy_module       /usr/lib/apache/modules/libproxy.so


Sean Malloy wrote:
Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET 
http://www.microsoft.com/ HTTP/1.0" 200 2770
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST 
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT 
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ 
HTTP/1.1" 200 2903
61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 
HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET 
http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET 
http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ 
HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ 
HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I interpret it 
as "client
65.117.101.194 successfully connected to my webserver and requested the 
page
http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages. 
 

-- 
Sean Malloy
Home Page: www.catgrepsort.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]