[NTLUG:Discuss] Strange Apache log entries
JR Newsletters
jrnewsletters at jcrcomputing.com
Sat Jan 1 00:52:19 CST 2005
asenec at senechalle.net wrote:
>Since early this morning, I'm seeing *tons* of entries like this
>in my access log:
>
>80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /header.pl HTTP/1.1" 200 618 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18961 80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /menu.pl HTTP/1.1" 200 614 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18960 80.58.21.172 - - [31/Dec/2004:03:19:36 -0600] "GET /info.pl HTTP/1.1" 200 2064 www.postage-paid.com "http://www.postage-paid.com/"
>
I believe this is someone trying to get to another website via your
apache server. You might try testing this command through a telnet host
80 command to see what really gets served. If you are running close to
default, I believe the attempt to pull www.postage-paid.com webpage is
actually pulling your home page (unless you have the option turned on in
httpd.conf that allows apache to forward the request to that site).
>85.97.98.142 - - [31/Dec/2004:03:20:08 -0600] "GET sha1:k5KzwXPEYA0s5rxGajvGkoicLqg= http/1.1" 400 226 postage-paid.com "-" "W\xd0\xb0rez 2.5.0.2955" "-" 29434
>
The Error 400 says that this was a bad request for your server to fullfill.
At any rate, make certain you have the option turned off in httpd.conf
that would allow apache to forward the request for somebody else's page
via your apache server, and do test with the telnet command above that
when the code 200, which is serving a webpage for those requests, that
your page is being served instead of the other website's page being
served. Otherwise if your apache server really is forwarding the
requests, this means that somebody can do malicious things to a web site
through via your web site making it appear that you are doing the
malicious things.
More information about the Discuss
mailing list