At 10:08 2001-10-09 +1000, brendan hack wrote: >Hi All, > > I found a strange entry hidden among all the IIS exploit attempts > in my apache access log today: > >61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET >http://61.177.66.228:8283/ HTTP/1.0" 200 756 > > Does anyone know if this is some sort of attack attempt? It > doesn't seem to make any sense as a log entry as there is no leading '/' > on the url portion and there is no corresponding error log entry saying > that the file 'http://61.177.66.228:8283/' couldn't be found. I also find > the fact that the client IP and the url are the same suspicious. I tried > retrieving the same file myself using mozilla > (http://webserver/http://61.177.66.228:8283/) and it created a similar > access entry but with a '/' at the start of the url and there was an > error log entry generated. There was a peak in traffic from the server > the day after this log entry which instigated the check. Any suggestions > will be appreciated.
This may be an attack, or a scan for open HTTP proxies. The log line it self is a request for your server to act as a proxy, connecting to the URL shown in the logs. Apache will ignore the 'protocol://host:port' portion of the URL if it is not set up to do proxing. >just being paranoid Paranoid is good. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
