[NTLUG:Discuss] Strange Apache log entries

JR Newsletters jrnewsletters at jcrcomputing.com
Sat Jan 1 00:52:19 CST 2005


asenec at senechalle.net wrote:

>Since early this morning, I'm seeing *tons* of entries like this
>in my access log:
>
>80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /header.pl HTTP/1.1" 200 618 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18961                                                                                80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /menu.pl HTTP/1.1" 200 614 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18960                                                                                  80.58.21.172 - - [31/Dec/2004:03:19:36 -0600] "GET /info.pl HTTP/1.1" 200 2064 www.postage-paid.com "http://www.postage-paid.com/" 
>
I believe this is someone trying to get to another website via your 
apache server.  You might try testing this command through a telnet host 
80 command to see what really gets served.  If you are running close to 
default, I believe the attempt to pull www.postage-paid.com webpage is 
actually pulling your home page (unless you have the option turned on in 
httpd.conf that allows apache to forward the request to that site).

>85.97.98.142 - - [31/Dec/2004:03:20:08 -0600] "GET sha1:k5KzwXPEYA0s5rxGajvGkoicLqg= http/1.1" 400 226 postage-paid.com "-" "W\xd0\xb0rez 2.5.0.2955" "-" 29434                                                                                                                   
>
The Error 400 says that this was a bad request for your server to fullfill.

At any rate, make certain you have the option turned off in httpd.conf 
that would allow apache to forward the request for somebody else's page 
via your apache server, and do test with the telnet command above that 
when the code 200, which is serving a webpage for those requests, that 
your page is being served instead of the other website's page being 
served.  Otherwise if your apache server really is forwarding the 
requests, this means that somebody can do malicious things to a web site 
through via your web site making it appear that you are doing the 
malicious things.





More information about the Discuss mailing list