Weird entry in Apache access log

Weird entry in Apache access log

Post by ExtremeServ Linux Tea » Mon, 21 Oct 2002 18:55:18



In the access log for my Apache 1.3.27 server I saw this:

212.74.101.21 - - [20/Oct/2002:05:24:45 +1300] "CONNECT 212.74.101.21:7325
HTTP/1.0" 200 859

Anyone know what that is? Should I be worried?

 
 
 

Weird entry in Apache access log

Post by Joachim Rin » Thu, 24 Oct 2002 03:27:16


Quote:> In the access log for my Apache 1.3.27 server I saw this:

> 212.74.101.21 - - [20/Oct/2002:05:24:45 ?] "CONNECT 212.74.101.21:7325
> HTTP/1.0" 200 859

> Anyone know what that is? Should I be worried?

a successful proxy connect request to 212.74.101.21 port 7325 - wether
you should be worried depends on the fact wether you are running your
apache as a proxy and wether you intended it to be an effective
anonymizer for all kinds of tcp traffic which seems to originate from
your server for any victims...

if it's really supposed to be a forward proxy, you might think about
AllowConnect Off but this will also break https access for the users...

joachim

 
 
 

Weird entry in Apache access log

Post by ExtremeServ Linux Tea » Thu, 24 Oct 2002 09:44:58



Quote:> > In the access log for my Apache 1.3.27 server I saw this:

> > 212.74.101.21 - - [20/Oct/2002:05:24:45 ?] "CONNECT 212.74.101.21:7325
> > HTTP/1.0" 200 859

> > Anyone know what that is? Should I be worried?

> a successful proxy connect request to 212.74.101.21 port 7325 - wether
> you should be worried depends on the fact wether you are running your
> apache as a proxy and wether you intended it to be an effective
> anonymizer for all kinds of tcp traffic which seems to originate from
> your server for any victims...

> if it's really supposed to be a forward proxy, you might think about
> AllowConnect Off but this will also break https access for the users...

> joachim

My Apache isn't supposted to be a proxy, just a HTTP server.
Though mod_proxy seemed to be enabled, just disabled it
 
 
 

1. Weird entries in Apache logs

Hi Everyone !

I noticed this morning on one of the webservers here weird entries in the
log...which make me think somebody hacked Apache somehow and is using it for
something...

A "normal" httpd log file would look like this right ?

hostf35.somebody.net - - [19/Jul/2001:03:31:24 -0400] "GET /img3lt.jpg
HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:25 -0400] "GET /img4lt.jpg
HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:25 -0400] "GET /img5lt.jpg
HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:26 -0400] "GET /transparent.gif
HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:26 -0400] "GET
/graphics/career2.jpg HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:27 -0400] "GET
/graphics/contact2.jpg HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:27 -0400] "GET
/graphics/career1.jpg HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:28 -0400] "GET
/graphics/contact1.jpg HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:28 -0400] "GET
/graphics/superioringles.jpg HTTP/1.1" 304 -
hostf35.somebody.net - - [19/Jul/2001:03:31:28 -0400] "GET /tptile.jpg
HTTP/1.1" 304 -

but... what about if a part of the logs says ....

211.90.145.96 - - [19/Jul/2001:03:31:33 -0400] "GET
http://www.clickxchange.com/ft.phtml?act=379640.1194 HTTP/1.0" 200 807
211.90.145.96 - - [19/Jul/2001:03:37:21 -0400] "GET
http://www.clickxchange.com/ft.phtml?act=379640.1315 HTTP/1.0" 200 807
211.90.145.96 - - [19/Jul/2001:03:38:03 -0400] "GET
http://www.clickxchange.com/ft.phtml?act=379640.1296 HTTP/1.0" 200 807
211.90.145.96 - - [19/Jul/2001:03:39:25 -0400] "GET
http://www.clickxchange.com/fd.phtml?act=379703.469 HTTP/1.0" 302 0
210.208.204.42 - - [19/Jul/2001:03:54:04 -0400] "GET
http://www.clickxchange.com/fd.phtml?act=361628.1633 HTTP/1.0" 302 0
210.208.204.42 - - [19/Jul/2001:03:54:04 -0400] "GET
http://server3001.freeyellow.com/sandbinfo/nd3.gif HTTP/1.0" 403 9512
210.208.204.42 - - [19/Jul/2001:03:59:53 -0400] "GET
http://service.bfast.com/bfast/serve
bfmid=253985&bfsiteid=38424446&bfpage=search HTTP/1.0" 200 43
210.208.204.42 - - [19/Jul/2001:04:01:37 -0400] "GET
http://service.bfast.com/bfast/serve?bfmid=20810152&siteid=38481113&b...

Can somebody explain me what this is and how it could be done ?  To me, it
looks like somebody is using Apache as his own web server...or..since these
links are mostly only to get cash...maybe he's generating traffic for
himself...

Thanks for your help..

2. Hey all you linux crooks

3. Weird entries in Apache log

4. install Solaris 7 on Dell OptiPlex GX1--- SOLARIS MBDexec load error

5. Can anyone explain this apache access log entry

6. Wacky PPP question!

7. *funny* access-log entries (apache)

8. stty problem on RS/6000 530

9. Limiting entries in Apache access.log

10. Disable local machine access entries in log files for Apache

11. Weird apache access.log problem

12. Strange Apache access log entry just before crash

13. Apache access log entries