Thanks to Bill and James for your responses. It was a proxy attempt. I
set up my mozilla to use the apache server as a proxy and got the same
log entries. Luckily though, apache simply returned web pages from the
local web site instead of proxying them since the ProxyRequests
directive was not on. I've now removed the proxy modules as well, just
to be sure (I said I was paranoid).
thanks,
brendan
William R. Ward wrote:
brendan hack writes:
Hi All,
I found a strange entry hidden among all the IIS exploit attempts in my
apache access log today:
61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET
http://61.177.66.228:8283/ HTTP/1.0" 200 756
Does anyone know if this is some sort of attack attempt? It doesn't seem
to make any sense as a log entry as there is no leading '/' on the url
portion and there is no corresponding error log entry saying that the
file 'http://61.177.66.228:8283/' couldn't be found. I also find the
fact that the client IP and the url are the same suspicious. I tried
retrieving the same file myself using mozilla
(http://webserver/http://61.177.66.228:8283/) and it created a similar
access entry but with a '/' at the start of the url and there was an
error log entry generated. There was a peak in traffic from the server
the day after this log entry which instigated the check. Any suggestions
will be appreciated.
Someone's trying to use you as a proxy. That's what proxy HTTP
requests look like.
The "200" code suggests that they succeeded. Add something like this
to your httpd.conf to block these. (Delete the "allow" part if you
don't want proxying at all; if you do, change the IP addresses to
whatever is appropriate for your system.)
<Directory proxy:*>
order deny,allow
deny from all
allow from 192.168.0.0/255.255.0.0
</Directory>
HTH.
--Bill.
--
http://www.bendys.com
[EMAIL PROTECTED]
Real coders celebrate Christmas at Halloween.
