Home page logo
/

basics logo Security Basics mailing list archives

Re: Strange Web Server Log Entries
From: "0x90" <secbasics () spam gagspace com>
Date: Fri, 7 Dec 2007 09:17:54 +0100



Just people/bots looking/crawling to find proxies for general/spamming use. As long as you're not an open proxy (which you're not), you shouldn't be worrried. There is not much you can (or should) do about the log entries themselves. If you're feeling generous you can send an email to the owner/providor to bring to their attention that they might be compromised (probably a waste of time for 211.*, 222.* / asian hosts in general, if you ask me :P) - often it will be ignored, at other times they'll say 'thanks, we didn't know'.

Regards,
0x90

----- Original Message ----- From: "Sean Malloy" <spinelli85 () gmail com>
To: <security-basics () securityfocus com>
Sent: Thursday, December 06, 2007 10:24 PM
Subject: Strange Web Server Log Entries


Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228 65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903 61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I interpret it as "client 65.117.101.194 successfully connected to my webserver and requested the page
http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages.
--
Sean Malloy
Home Page: www.catgrepsort.com




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault