* [gentoo-user] Security problem? - Apache access.log has: CONNECT ... 200
@ 2005-11-26 22:56 Joseph
2005-11-27 7:26 ` [gentoo-user] " Francesco Talamona
0 siblings, 1 reply; 3+ messages in thread
From: Joseph @ 2005-11-26 22:56 UTC (permalink / raw
To: gentoo
I just have noticed that my Apache2 access.log has few entries:
220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT 202.165.103.38:80 HTTP/1.1" 200 17505
61.232.83.75 - - [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200 25952
59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT 210.59.228.72:25 HTTP/1.1" 200 17368
66.219.100.118 - - [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0" 200 30192
213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT 213.180.193.1:25 HTTP/1.0" 200 16916
These IP's are mostly from Russian or Chines hackers.
My proxy is not enabled in /etc/conf.d/apache2
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4"
Anybody has similar entries. According to Apache explanation:
http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan
"200" would indicate that somebody is using my apache as proxy, but how?
--
#Joseph
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* [gentoo-user] Re: Security problem? - Apache access.log has: CONNECT ... 200
2005-11-26 22:56 [gentoo-user] Security problem? - Apache access.log has: CONNECT ... 200 Joseph
@ 2005-11-27 7:26 ` Francesco Talamona
2005-11-27 18:55 ` Joseph
0 siblings, 1 reply; 3+ messages in thread
From: Francesco Talamona @ 2005-11-27 7:26 UTC (permalink / raw
To: gentoo-user
On Saturday 26 November 2005 23:56, Joseph wrote:
> I just have noticed that my Apache2 access.log has few entries:
>
> 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT
> 202.165.103.38:80 HTTP/1.1" 200 17505 61.232.83.75 - -
> [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200
> 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT
> 210.59.228.72:25 HTTP/1.1" 200 17368 66.219.100.118 - -
> [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0"
> 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT
> 213.180.193.1:25 HTTP/1.0" 200 16916
>
> These IP's are mostly from Russian or Chines hackers.
> My proxy is not enabled in /etc/conf.d/apache2
> APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4"
>
> Anybody has similar entries. According to Apache explanation:
> http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan
> "200" would indicate that somebody is using my apache as proxy, but
> how?
>
> --
> #Joseph
The answer is already in the page you posted. Page sizes are different,
so you are serving as a proxy.
Set NameVirtualHost and VirtualHost directives in
/etc/apache2/vhosts.d/00_default_vhost.conf and /etc/apache2/httpd.conf
as instructed in the link above.
Ciao
Francesco
--
Linux Version 2.6.12-gentoo-r9, Compiled #2 Wed Aug 24 18:43:16 CEST
2005
One 2.2GHz AMD Athlon 64 Processor, 2GB RAM, 4308.99 Bogomips Total
aemaeth
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] Re: Security problem? - Apache access.log has: CONNECT ... 200
2005-11-27 7:26 ` [gentoo-user] " Francesco Talamona
@ 2005-11-27 18:55 ` Joseph
0 siblings, 0 replies; 3+ messages in thread
From: Joseph @ 2005-11-27 18:55 UTC (permalink / raw
To: gentoo-user
On Sun, 2005-11-27 at 08:26 +0100, Francesco Talamona wrote:
> On Saturday 26 November 2005 23:56, Joseph wrote:
> > I just have noticed that my Apache2 access.log has few entries:
> >
> > 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT
> > 202.165.103.38:80 HTTP/1.1" 200 17505 61.232.83.75 - -
> > [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200
> > 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT
> > 210.59.228.72:25 HTTP/1.1" 200 17368 66.219.100.118 - -
> > [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0"
> > 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT
> > 213.180.193.1:25 HTTP/1.0" 200 16916
> >
> > These IP's are mostly from Russian or Chines hackers.
> > My proxy is not enabled in /etc/conf.d/apache2
> > APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4"
> >
> > Anybody has similar entries. According to Apache explanation:
> > http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan
> > "200" would indicate that somebody is using my apache as proxy, but
> > how?
> >
> > --
> > #Joseph
>
> The answer is already in the page you posted. Page sizes are different,
> so you are serving as a proxy.
> Set NameVirtualHost and VirtualHost directives in
> /etc/apache2/vhosts.d/00_default_vhost.conf and /etc/apache2/httpd.conf
> as instructed in the link above.
No, my server is not a proxy. This link explain hwo to test it:
http://www.karkomaonline.com/article.php/20040425124146257
The reason, the page size is different is that I'm running PHP base
web-page, so every time you load it the content might change.
Though, I'm not sure I follow that <Location /> directive. To prevent
this type of request entirely. I have in my virtual host:
NameVirtualHost 10.0.0.103:80
<VirtualHost 10.0.0.103:80>
ServerName www.xxxxxx.ca
<Location />
Order allow,deny
Deny from all
</Location>
DocumentRoot /var/www/localhost/htdocs/
Setenv VLOG /var/log/apache2/log_log
ErrorLog /var/log/apache2/error_log
</VirtualHost>
If I add the <Location /> directive as above it will not load my page at
all, I get error 403
--
#Joseph
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-11-27 19:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-26 22:56 [gentoo-user] Security problem? - Apache access.log has: CONNECT ... 200 Joseph
2005-11-27 7:26 ` [gentoo-user] " Francesco Talamona
2005-11-27 18:55 ` Joseph
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox