Home page logo
/

basics logo Security Basics mailing list archives

Re: Strange Web Server Log Entries
From: "Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH" <Jason () TechDude Ca>
Date: Thu, 6 Dec 2007 20:23:29 -0500

Hello,

Logs are always interesting to review. It does look like the 1st HTTP GET request returned the page requested, and it did; however, your frame of context is incorrect. You should review your server's virtual hosting configuration. I'm sure you will have a default "*" (all) virtual host. The request for http://www.microsoft.com/ will serve your site's root page (/index.html).

The other requests seem to be an attacker checking to see if your server is an open-proxy. The 400 series return (error) codes are a good sign that your server is not.


Regards,

--
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/



On 6-Dec-07, at 4:24 PM, Sean Malloy wrote:

Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I interpret it as "client 65.117.101.194 successfully connected to my webserver and requested the page http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages.
--
Sean Malloy
Home Page: www.catgrepsort.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault