[nycbug-talk] (a bit ot) web server weird stuff

David Lawson dave at donnerjack.com
Tue May 19 14:47:54 EDT 2009


On May 19, 2009, at 2:40 PM, George Rosamond wrote:

> Steve Rieger wrote:
>> starting yesterday i see the following in my access logs, and cant  
>> seem
>> to figure out what the heck is going on,
>> using lighttp, got any insight ?
>>
>> 77.108.102.246 - - [19/May/2009:10:07:10 -0700] "CONNECT
>> 205.188.251.43:443 HTTP/1.0" 501 357 "-" "-"
>> 77.66.227.146 - - [19/May/2009:10:07:10 -0700] "CONNECT
>> 205.188.251.36:443 HTTP/1.0" 501 357 "-" "-"
>> 77.66.227.146 - - [19/May/2009:10:07:10 -0700] "CONNECT
>> 205.188.251.16:443 HTTP/1.0" 501 357 "-" "-"
>> 60.168.252.7 xml.nbcsearch.com - [19/May/2009:10:07:10 -0700] "GET
>> http://xml.nbcsearch.com/xml.php?affiliate=searchdao&Terms=food+nutrition&IP=208%2E127%2E94
>> %2E89 HTTP/1.0" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 5.01;  
>> Windows
>> 95; Alexa Toolbar)"
>> 77.108.102.246 - - [19/May/2009:10:07:10 -0700] "CONNECT
>> 205.188.251.31:443 HTTP/1.0" 501 357 "-" "-"
>> 59.90.1.66 - - [19/May/2009:10:07:10 -0700] "CONNECT  
>> 205.188.251.6:443
>> HTTP/1.0" 501 357 "-" "-"
>> 59.90.1.66 - - [19/May/2009:10:07:10 -0700] "CONNECT  
>> 205.188.251.1:443
>> HTTP/1.0" 501 357 "-" "-"
>> 113.22.163.156 - - [19/May/2009:10:07:10 -0700] "GET
>> http://n31.login.re3.yahoo.com/config/pwtoken_get?login=roseau@snet.net&src=ygodgw&passwd=bc144134bc7b611
>> 91e8e2f6c0833364c&challenge=FqJZxsmRe5Eq__AOpETXgvYrGqMd&md5=1 HTTP/ 
>> 1.0"
>> 404 345 "-" "MobileRunner-J2ME"
>> 117.13.200.239 adserver.adtech.de - [19/May/2009:10:07:10 -0700] "GET
>> http://adserver.adtech.de/adiframe/3.0/932/2081232/0/225/ADTECH;target=_blank;grp=%5Bgro
>> up%5D HTTP/1.1" 404 345 "http://www.vampirefreaks.com/" "mozilla/5.0
>> (windows; u; win98; en-us; rv:1.8.0.7) gecko/20060909 firefox/ 
>> 1.5.0.7"
>
> Weird. . .
>
> Just taking some stabs here, or at least stating the obvious. . .
>
> The only URLs i ever remember seeing in access.logs (in apache or
> lighttpd) are connected to bots and spiders for indexing.
>
> Is it possible that users can proxy through this box?  Is mod_proxy
> enabled in the conf file?

It does look very much like it's being used as an open proxy.  I've  
seen similar stuff on Squid boxes prior to having their ACLs locked  
down.

--Dave



More information about the talk mailing list