Apache access log shows these attack requests

Wed Jun 13 14:50:21 UTC 2007

On Tue, 12 Jun 2007 16:54:47 -0400 "Bob" <bob at a1poweruser.com> wrote:

 > Running FBSD 6.2 + apache 13. In the apache access log I see these log
 > records.
 > To me it looks like my apache server is servicing connect requests and
get
 > requests to other URL's.
 > Is there some configuration option I can turn on to stop my server from
 > servicing these bogus requests?
 >
 > 122-124-129-27.dynamic.hinet.net - - [04/May/2007:04:38:18 -0400]
"CONNECT
 > 220.1
[..]
 > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:39 -0400]
"CONNECT
 > 220.1
 > kaista.fi - - [03/May/2007:01:35:44 -0400] "GET
http://pro_xy.t35.com/AZ.php
 > HTT
 > kaista.fi - - [03/May/2007:01:35:45 -0400] "GET
http://pro_xy.t35.com/AZ.php
 > H
[..]
 > r - - [10/May/2007:09:42:40 -0400] "\x04\x01\x1a\vE\x10\xac\"" 400 - "-"
"-"
 > r - - [10/May/2007:09:42:50 -0400] "\x05\x01" 200 7036 "-" "-
 > 89.196.37.169 - - [15/May/2007:02:50:21 -0400] "GET
 >  http://www.internetsec.org/a
 > 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-"
"-"
 > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-"
"-"

What Chuck said about disabling|securing mod_proxy and PHP, for sure ..

But in most cases you chopped off the most important information; the
HTTP code indicating apache's response to the request.  On those last
two, 200 indicates apache served a page of 7036 bytes.  If that's the
served size of your home "/" page then you've little to worry about.

40x responses indicate refusal; page not found, permission denied etc.
Here at least weekly I see such as:

220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT
msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-"

403 = Permission denied.  In this case, because I disallow 'no referrer'
plus 'no browser' ("-" "-") connects from non-local addresses, blocking
heaps of rogue robots, but CONNECT requests don't work anyway in apache
1.3 in default configuration .. older logs show 405 responses to these.

222.141.50.175 - - [21/May/2007:23:46:01 +1000] "GET http://www.baidu.com/
HTTP/1.1" 200 3847 "-" "Mozilla/4.0
(compatible; MSIE 4.01; Windows NT)"

In this case, apache served (200 response) *my* home page (3847 bytes)
on all such would-be proxy requests.  Not a problem.

 > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:38 -0400]
"CONNECT
 > 220.1

FWIW, nearly every CONNECT request here for the last 2 years has been
for or from some hinet.net host or other.  They're well up in the top 10
spam sources too, so I won't see any mail from *@hinet.net complaining!

Cheers, Ian

_______________________________________________

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Ian Smith
Sent: Wednesday, June 13, 2007 1:09 AM
To: Bob
Cc: freebsd-questions at freebsd.org
Subject: Re: Apache access log shows these attack requests

	Sorry about cutting off the end of the record.
> 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-"
 > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-"
"-"

 You wrote "On these two, 200 indicates apache served a page of 7036 bytes.
If that's the
served size of your home "/" page then you've little to worry about."
I checked with ls -l command and I have no pages 7036 in size. My question
is why is apache servicing a request for "\x04\x01", this is not a valid
request in first place.
You wrote "because I disallow 'no referrer'
plus 'no browser' ("-" "-") connects from non-local addresses, blocking
heaps of rogue robots"
Could you give me a example of the httpd.config coding you used for this?
These denied requests get logged in the access.log, I would think they
should be logged in the error.log.