Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Odd website found in my access.log 1

Status
Not open for further replies.
Einstein47

Einstein47

Programmer
Nov 29, 2001
737
US
I have been watching my apache logs for some time, and recently I have noticed an odd entry. This is the line that concerns me:
Code: 
60.172.219.2 - - [01/Jun/2008:07:13:05 -0600] "GET [URL unfurl="true"]http://thecric.free.fr/AZenv/azenv.php[/URL] HTTP/1.1" 302 332
I think that someone is using my server as a proxy to get to another site. [red]Can I stop this?[/red] The last thing I want to do is allow bizarre access to my web server.

Any ideas?

Einstein47 (Starbase47.com)
“Never put both feet in your mouth at the same time.
Because then you won't have a leg to stand on.“
- Unknown
 
Sort by date Sort by votes
Use telnet on port 80 to connect to your web server. Then send that "GET" string followed by two hits of the enter key.

Then see what happens.


Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!
 
Upvote 0 Downvote
If that isn't your server, you can reject it using rewrite rules.

I believe you returned 302, which means "found".

Does that php file exist on your server?

 
Upvote 0 Downvote
Do you see any other activity by that one IP address?

If so, and you are on linux and running iptables, you can block the IP by doing this:

iptables -A INPUT -s 60.172.219.2 -j DROP

That will block that one IP from all access to that box - mail, web, ftp, etc. If the person is on dynamic IP it won't matter, and if they are after you from more than one static IP you would have to block them all.

 
Upvote 0 Downvote
Thanks for all the suggestions guys!

[blue]donb01[/blue] - I am on AIX not Linux, I do not have that iptables app. I would have to look to see what AIX can do to block individual IP addresses.

[blue]elgrandeperro[/blue] - that php does NOT exist on my server. I don't even have the php module loaded.

[blue]sleipnir214[/blue] - doing that TELNET trick shows that my redirection is working. When someone tries to hit my server with a request where the suffix is php, I set up a redirectmatch to " That is what is reporting as 302 found.

So it is just adding to my log - it isn't compromising my server - thanks for the information all!

Einstein47 (Starbase47.com)
“Never put both feet in your mouth at the same time.
Because then you won't have a leg to stand on.“
- Unknown
 
Upvote 0 Downvote
Sorry I'm a little late. What you are seeing is 99% probable as being someone doing a sweep/scan for open proxies. Ignore it.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
340
Stephen_Hawk
Stephen_Hawk
Anointedone
  • Locked
  • Question
Mysql prefix table name
Replies
1
Views
163
spamjim
spamjim
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
159
bhuv560
bhuv560
KannaChan
  • Locked
  • Question
TLS1.2 and TLS1.0 proxy in same Virtualhost
Replies
1
Views
215
ChrisHirst
ChrisHirst
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
213
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top