Apache access log shows these attack requests
Ian Smith
smithi at nimnet.asn.au
Wed Jun 13 05:10:00 UTC 2007
On Tue, 12 Jun 2007 16:54:47 -0400 "Bob" <bob at a1poweruser.com> wrote:
> Running FBSD 6.2 + apache 13. In the apache access log I see these log
> records.
> To me it looks like my apache server is servicing connect requests and get
> requests to other URL's.
> Is there some configuration option I can turn on to stop my server from
> servicing these bogus requests?
>
> 122-124-129-27.dynamic.hinet.net - - [04/May/2007:04:38:18 -0400] "CONNECT
> 220.1
[..]
> 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:39 -0400] "CONNECT
> 220.1
> kaista.fi - - [03/May/2007:01:35:44 -0400] "GET http://pro_xy.t35.com/AZ.php
> HTT
> kaista.fi - - [03/May/2007:01:35:45 -0400] "GET http://pro_xy.t35.com/AZ.php
> H
[..]
> r - - [10/May/2007:09:42:40 -0400] "\x04\x01\x1a\vE\x10\xac\"" 400 - "-" "-"
> r - - [10/May/2007:09:42:50 -0400] "\x05\x01" 200 7036 "-" "-
> 89.196.37.169 - - [15/May/2007:02:50:21 -0400] "GET
> http://www.internetsec.org/a
> 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-"
> 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-" "-"
What Chuck said about disabling|securing mod_proxy and PHP, for sure ..
But in most cases you chopped off the most important information; the
HTTP code indicating apache's response to the request. On those last
two, 200 indicates apache served a page of 7036 bytes. If that's the
served size of your home "/" page then you've little to worry about.
40x responses indicate refusal; page not found, permission denied etc.
Here at least weekly I see such as:
220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-"
403 = Permission denied. In this case, because I disallow 'no referrer'
plus 'no browser' ("-" "-") connects from non-local addresses, blocking
heaps of rogue robots, but CONNECT requests don't work anyway in apache
1.3 in default configuration .. older logs show 405 responses to these.
222.141.50.175 - - [21/May/2007:23:46:01 +1000] "GET http://www.baidu.com/ HTTP/1.1" 200 3847 "-" "Mozilla/4.0
(compatible; MSIE 4.01; Windows NT)"
In this case, apache served (200 response) *my* home page (3847 bytes)
on all such would-be proxy requests. Not a problem.
> 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:38 -0400] "CONNECT
> 220.1
FWIW, nearly every CONNECT request here for the last 2 years has been
for or from some hinet.net host or other. They're well up in the top 10
spam sources too, so I won't see any mail from *@hinet.net complaining!
Cheers, Ian
More information about the freebsd-questions
mailing list