Suimmary: apache log question? Is this a bad DNS on the clients s ide? from George Gallen on 2001-06-01 (tru64-unix-managers)

From: George Gallen <ggallen_at_slackinc.com>
Date: Thu, 31 May 2001 11:05:42 -0400

It appears that we are being probed to be used as a proxy server for http
requests. As well as a potential probe from the sadmin worm (looking for
Microsoft IIS software).

Since we are not configured for proxy, the attempts failed, and it didn't
look
like there was any hacking attempted, and since we are not MS, the
questionable
GET x request did nothing.

As to the error message in the logs, it seems unknown what caused it, but
should considering looking for detailed if it happens again.

It just amazes me, how often systems get probed...

Thanks for the help

George

-----Original Message-----
From: George Gallen [mailto:ggallen_at_slackinc.com]
Sent: Wednesday, May 30, 2001 12:07 PM
To: 'tru64-unix-managers_at_ornl.gov'
Subject: apache log question? Is this a bad DNS on the clients side?

I have a smal web server running.

In checking the logs I see entries like:

202.102.145.162 - - [26/May/2001:07:17:36 -0400] "GET http://www.ebay.com/
<http://www.ebay.com/> HTTP/1.1" 401 484
61.137.62.80 - - [27/May/2001:10:08:22 -0400] "GET http://www.adm.com/
<http://www.adm.com/> HTTP/1.1" 401 484
61.134.126.138 - - [29/May/2001:14:51:52 -0400] "GET x HTTP/1.0" 400 331

211.163.26.27 - - [30/May/2001:06:20:33 -0400] "GET http://www.s3.com/
<http://www.s3.com/> HTTP/1.1" 401 484

and in my error_log

[Tue May 29 14:51:52 2001] [error] [client 61.134.126.138] Invalid URI in
request GET x HTTP/1.0
[Wed May 30 07:29:44 2001] [error] (22)Invalid argument: getsockname

The setup is when our IP is hit with a port 80 request, a username/password
box appears

My questions are:

1. Why are there URL's in the GET's? I tried playing, if I typed in the URL
as a filename
ie: http://our.ip.address/http://www.ebay.com
<http://our.ip.address/http://www.ebay.com> then the log would show
"GET / http://www.ebay.com <http://www.ebay.com> ...." How did the GET
get that URL?

2. The getsockname error occured, but there is no corresponding access log
for that time frame

I didn't find anything in the apache man files or the tutorials to explain
these entries as I
see them in the logs

Any Ideas on what these are? Is this some kind of exploit?

Thanks.

George Gallen
Senior Programmer/Analyst
Accounting/Data Division
ggallen_at_slackinc.com
ph:856.848.1000 Ext 220

SLACK Incorporated - An innovative information, education and management
company
http://www.slackinc.com <http://www.slackinc.com>
Received on Thu May 31 2001 - 15:06:46 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:42 NZDT