question on httpd log entry - Security

This is a discussion on question on httpd log entry - Security ; I'm running apache on FC6. I've got the following log entry: 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" What does it mean? How can an http client issue a ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: question on httpd log entry

  1. question on httpd log entry

    I'm running apache on FC6. I've got the following log entry:

    218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    What does it mean? How can an http client issue a "GET" to a server
    for a file that is on some other server? What what are the response
    codes "404 293"? I figure 404 is not found, but what is 293?
    --
    % Randy Yates % "I met someone who looks alot like you,
    %% Fuquay-Varina, NC % she does the things you do,
    %%% 919-577-9882 % but she is an IBM."
    %%%% % 'Yours Truly, 2095', *Time*, ELO
    http://home.earthlink.net/~yatescr

  2. Re: question on httpd log entry

    Randy Yates writes:

    > I'm running apache on FC6. I've got the following log entry:
    >
    > 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    >
    > What does it mean? How can an http client issue a "GET" to a server
    > for a file that is on some other server?


    It might attempt to use your server as a proxy.

    > What what are the response codes "404 293"? I figure 404 is not
    > found, but what is 293?


    Most likely the number of bytes used to tell the client that the
    attempt didn't work.

    The format of Apache log files is configurable, but your line looks
    like the default configuration for the access log.

    Greetings,

    Jacob
    --
    By becoming continuous, war has fundamentally changed its character.
    In past ages, a war, almost by definition, was something that sooner
    or later came to an end, usually in unmistakable victory or defeat.
    -- Nineteen Eighty-Four, George Orwell
    I don't think you can win [the war on terror]. -- George W. Bush

  3. Re: question on httpd log entry

    Jacob Sparre Andersen writes:

    > Randy Yates writes:
    >
    >> I'm running apache on FC6. I've got the following log entry:
    >>
    >> 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    >>
    >> What does it mean? How can an http client issue a "GET" to a server
    >> for a file that is on some other server?

    >
    > It might attempt to use your server as a proxy.
    >
    >> What what are the response codes "404 293"? I figure 404 is not
    >> found, but what is 293?

    >
    > Most likely the number of bytes used to tell the client that the
    > attempt didn't work.
    >
    > The format of Apache log files is configurable, but your line looks
    > like the default configuration for the access log.
    >
    > Greetings,
    >
    > Jacob


    Thanks for the info, Jacob.

    So I take it that this is a type of attack? The idea is that,
    if proxy serving is enabled, someone could have my server
    execute, e.g., their PHP code? Blah!

    So in order to prevent this type of attack, I should
    leave proxy serving disabled by leaving the following
    lines in httpd.conf commented out:

    # Proxy Server directives. Uncomment the following lines to
    # enable the proxy server:
    #
    #
    #ProxyRequests On
    #
    #
    # Order deny,allow
    # Deny from all
    # Allow from .example.com
    #


    ?

    Thanks again for the info.
    --
    % Randy Yates % "My Shangri-la has gone away, fading like
    %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    %%% 919-577-9882 %
    %%%% % 'Shangri-La', *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  4. Re: question on httpd log entry

    Randy Yates wrote:
    > I'm running apache on FC6. I've got the following log entry:
    >
    > 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293 "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    >
    > What does it mean? How can an http client issue a "GET" to a server
    > for a file that is on some other server? What what are the response
    > codes "404 293"? I figure 404 is not found, but what is 293?


    That is a proxy request (i.e. somebody is trying to use your web server
    as a proxy).

    293 is the size of the response your server sent to the client most
    likely (in bytes).

    Jeff Long

  5. Re: question on httpd log entry


    "Randy Yates" wrote in message
    news:m3wsw4961y.fsf@ieee.org...
    > Jacob Sparre Andersen writes:
    >
    >> Randy Yates writes:
    >>
    >>> I'm running apache on FC6. I've got the following log entry:
    >>>
    >>> 218.59.121.57 - - [08/Aug/2007:13:30:08 -0400] "GET
    >>> http://www.filesdatabase.com/azenv.php HTTP/1.1" 404 293
    >>> "http://www.filesdatabase.com/azenv.php" "Mozilla/4.0 (compatible; MSIE
    >>> 6.0; Windows NT 5.1)"
    >>>
    >>> What does it mean? How can an http client issue a "GET" to a server
    >>> for a file that is on some other server?

    >>
    >> It might attempt to use your server as a proxy.
    >>
    >>> What what are the response codes "404 293"? I figure 404 is not
    >>> found, but what is 293?

    >>
    >> Most likely the number of bytes used to tell the client that the
    >> attempt didn't work.
    >>
    >> The format of Apache log files is configurable, but your line looks
    >> like the default configuration for the access log.
    >>
    >> Greetings,
    >>
    >> Jacob

    >
    > Thanks for the info, Jacob.
    >
    > So I take it that this is a type of attack? The idea is that,
    > if proxy serving is enabled, someone could have my server
    > execute, e.g., their PHP code? Blah!
    >
    > So in order to prevent this type of attack, I should
    > leave proxy serving disabled by leaving the following
    > lines in httpd.conf commented out:
    >
    > # Proxy Server directives. Uncomment the following lines to
    > # enable the proxy server:
    > #
    > #
    > #ProxyRequests On
    > #
    > #
    > # Order deny,allow
    > # Deny from all
    > # Allow from .example.com
    > #

    >
    > ?
    >
    > Thanks again for the info.
    > --
    > % Randy Yates % "My Shangri-la has gone away, fading
    > like
    > %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    > %%% 919-577-9882 %
    > %%%% % 'Shangri-La', *A New World Record*, ELO
    > http://home.earthlink.net/~yatescr


    I would suggest you address that question in alt.apache.configuration

    If you have mod proxy loaded, it is better to have a 'deny all' line in
    there, rather that commenting it out.

    This is a very normal type of hack attempt. If you returned a 'forbidden'
    then your system is working properly, do not change anything. It is normal
    to get a few hundered of these a day, maybe more if somebody has added your
    IP address to a list of open proxies.
    If you do end up with an open proxy server, someone will very quickly use it
    to launch spam, which will be traced back to you.


    Stuart


+ Reply to Thread