I'm running apache on FC6. I've got the following log entry:
218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
What does it mean? How can an http client issue a "GET" to a server for a file that is on some other server? What what are the response codes "404 293"? I figure 404 is not found, but what is 293? -- % Randy Yates % "I met someone who looks alot like you, %% Fuquay-Varina, NC % she does the things you do, %%% 919-577-9882 % but she is an IBM." %%%% % 'Yours Truly, 2095', *Time*, ELO http://home.earthlink.net/~yatescr
Les réponses au message de Randy Yates (yates@ieee.org)
> I'm running apache on FC6. I've got the following log entry: > 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > What does it mean? How can an http client issue a "GET" to a server > for a file that is on some other server?
It might attempt to use your server as a proxy.
> What what are the response codes "404 293"? I figure 404 is not > found, but what is 293?
Most likely the number of bytes used to tell the client that the attempt didn't work.
The format of Apache log files is configurable, but your line looks like the default configuration for the access log.
Greetings,
Jacob -- »By becoming continuous, war has fundamentally changed its character. In past ages, a war, almost by definition, was something that sooner or later came to an end, usually in unmistakable victory or defeat.« -- Nineteen Eighty-Four, George Orwell »I don't think you can win [the war on terror].« -- George W. Bush
> Randy Yates writes: >> I'm running apache on FC6. I've got the following log entry: >>> 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" >>> What does it mean? How can an http client issue a "GET" to a server >> for a file that is on some other server? > It might attempt to use your server as a proxy. >> What what are the response codes "404 293"? I figure 404 is not >> found, but what is 293? > Most likely the number of bytes used to tell the client that the > attempt didn't work. > The format of Apache log files is configurable, but your line looks > like the default configuration for the access log. > Greetings, > Jacob
Thanks for the info, Jacob.
So I take it that this is a type of attack? The idea is that, if proxy serving is enabled, someone could have my server execute, e.g., their PHP code? Blah!
So in order to prevent this type of attack, I should leave proxy serving disabled by leaving the following lines in httpd.conf commented out:
# Proxy Server directives. Uncomment the following lines to # enable the proxy server: # # #ProxyRequests On # # # Order deny,allow # Deny from all # Allow from .example.com #
?
Thanks again for the info. -- % Randy Yates % "My Shangri-la has gone away, fading like %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'" %%% 919-577-9882 % %%%% % 'Shangri-La', *A New World Record*, ELO http://home.earthlink.net/~yatescr
Randy Yates wrote: > I'm running apache on FC6. I've got the following log entry: > 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > What does it mean? How can an http client issue a "GET" to a server > for a file that is on some other server? What what are the response > codes "404 293"? I figure 404 is not found, but what is 293?
That is a proxy request (i.e. somebody is trying to use your web server as a proxy).
293 is the size of the response your server sent to the client most likely (in bytes).
"Randy Yates" wrote in message news:m3wsw4961y.fsf@ieee.org... > Jacob Sparre Andersen writes: >> Randy Yates writes: >>>> I'm running apache on FC6. I've got the following log entry: >>>>> 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET >>> http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 >>> "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE >>> 6.0; Windows NT 5.1)" >>>>> What does it mean? How can an http client issue a "GET" to a server >>> for a file that is on some other server? >>> It might attempt to use your server as a proxy. >>>> What what are the response codes "404 293"? I figure 404 is not >>> found, but what is 293? >>> Most likely the number of bytes used to tell the client that the >> attempt didn't work. >>> The format of Apache log files is configurable, but your line looks >> like the default configuration for the access log. >>> Greetings, >>> Jacob > Thanks for the info, Jacob. > So I take it that this is a type of attack? The idea is that, > if proxy serving is enabled, someone could have my server > execute, e.g., their PHP code? Blah! > So in order to prevent this type of attack, I should > leave proxy serving disabled by leaving the following > lines in httpd.conf commented out: > # Proxy Server directives. Uncomment the following lines to > # enable the proxy server: > # > # > #ProxyRequests On > # > # > # Order deny,allow > # Deny from all > # Allow from .example.com > # > ? > Thanks again for the info. > -- > % Randy Yates % "My Shangri-la has gone away, fading > like > %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'" > %%% 919-577-9882 % > %%%% % 'Shangri-La', *A New World Record*, ELO > http://home.earthlink.net/~yatescr
I would suggest you address that question in alt.apache.configuration
If you have mod proxy loaded, it is better to have a 'deny all' line in there, rather that commenting it out.
This is a very normal type of hack attempt. If you returned a 'forbidden' then your system is working properly, do not change anything. It is normal to get a few hundered of these a day, maybe more if somebody has added your IP address to a list of open proxies. If you do end up with an open proxy server, someone will very quickly use it to launch spam, which will be traced back to you.
Stuart
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup comp.os.linux.security
HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Message de Jacob Sparre Andersen (sparre@nbi.dk) (09 Aout 2007)
