[NTLUG:Discuss] Strange Apache log entries

asenec@senechalle.net asenec at senechalle.net
Sat Jan 1 20:11:43 CST 2005 

By 'forward the request to that site', do you mean proxying?

I'm still getting a large number of those---analog shows:

reqs: %bytes:       last time: file
----: ------: ---------------: ----
 193:  1.12%: 31/Dec/04 09:28: GET sha1:nG+YqMW8FbfXYAYASfpxx3SRbj0= http/1.1
 125:  3.58%: 31/Dec/04 22:29: GET / HTTP/1.0
  91:  0.62%: 31/Dec/04 22:29: GET /robots.txt HTTP/1.0
  82:  2.28%: 31/Dec/04 20:32: GET / HTTP/1.1
  62:  0.36%: 31/Dec/04 15:43: GET sha1:W5qX5013DwX+S9QhPAT+FGk2KeQ= http/1.1
  55:  1.58%: 31/Dec/04 22:29: GET /faq.pl

Annette

> 
> asenec at senechalle.net wrote:
> 
> >Since early this morning, I'm seeing *tons* of entries like this
> >in my access log:
> >
> >80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /header.pl HTTP/1.1" 200 618 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18961                                                                                80.58.21.172 - - [31/Dec/2004:03:19:35 -0600] "GET /menu.pl HTTP/1.1" 200 614 www.postage-paid.com "http://www.postage-paid.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-" 18960                                                                                  80.58.21.172 - - [31/Dec/2004:03:19:36 -0600] "GET /info.pl HTTP/1.1" 200 2064 www.postage-paid.com "http://www.postage-paid.com/" 
> >
> I believe this is someone trying to get to another website via your 
> apache server.  You might try testing this command through a telnet host 
> 80 command to see what really gets served.  If you are running close to 
> default, I believe the attempt to pull www.postage-paid.com webpage is 
> actually pulling your home page (unless you have the option turned on in 
> httpd.conf that allows apache to forward the request to that site).
> 
> >85.97.98.142 - - [31/Dec/2004:03:20:08 -0600] "GET sha1:k5KzwXPEYA0s5rxGajvGkoicLqg= http/1.1" 400 226 postage-paid.com "-" "W\xd0\xb0rez 2.5.0.2955" "-" 29434                                                                                                                   
> >
> The Error 400 says that this was a bad request for your server to fullfill.
> 
> At any rate, make certain you have the option turned off in httpd.conf 
> that would allow apache to forward the request for somebody else's page 
> via your apache server, and do test with the telnet command above that 
> when the code 200, which is serving a webpage for those requests, that 
> your page is being served instead of the other website's page being 
> served.  Otherwise if your apache server really is forwarding the 
> requests, this means that somebody can do malicious things to a web site 
> through via your web site making it appear that you are doing the 
> malicious things.
> 
> 
> 
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list