From owner-freebsd-questions@FreeBSD.ORG Thu Mar 10 04:47:15 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3EED106564A for ; Thu, 10 Mar 2011 04:47:15 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 080C58FC12 for ; Thu, 10 Mar 2011 04:47:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p2A4l9tB074920; Thu, 10 Mar 2011 15:47:10 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 10 Mar 2011 15:47:09 +1100 (EST) From: Ian Smith To: peter@vfemail.net In-Reply-To: <20110309233148.0F4CF1065771@hub.freebsd.org> Message-ID: <20110310142433.M68517@sola.nimnet.asn.au> References: <20110309233148.0F4CF1065771@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org, Robert Bonomi Subject: Re: Nonsensical Web Log Entries X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 04:47:15 -0000 In freebsd-questions Digest, Vol 353, Issue 5, Message: 21 On Wed, 09 Mar 2011 15:02:57 -0500 peter@vfemail.net wrote: > At 03:06 PM 3/9/2011, Robert Bonomi wrote: > >> > >> I was looking at my Web log this morning, and a bunch of nonsensical > >> entries like these caught my attention: > >> > >> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)" > >> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > >> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 HTTP/1.0" 404 3485 "http://www.wingclips.com/" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)" > >> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 "http://www.cashsoldier.com/VerifyerLevel.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > >> > >> Is my FreeBSD box serving as some kind of Web proxy? > > > >Your box is _not_ doing the proxying. that's why it's signalling errors > >for those requests. > > > >The perpetrators are _hoping_ you are running a misconfigured proxying front- > >end. > > Does this entry change your conclusion: > > 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET http://images.google.com/ HTTP/1.1" 200 13134 "-" "-" No, Robert is right. Note that the first four you listed were all HTTP/1.0 requests. The ones with anything after the last '/' are 404 (page not found) except the last. Not sure about that 301, do you have a proxyheader.php? The more recent one is HTTP/1.1 with nothing after the last / so the http://images.google.com is ignored, and I expect you may find that your home page (ie requests for just '/') serve up 13134 bytes? Ar least that's what happens here with apache 1.3; here's a few examples from a seldom-accessed vhost where lots of requests are bogus, usually appearing across multiple vhosts (ie, from a sweep over IP addresses) 24.106.193.92 - - [01/Feb/2011:23:05:21 +1100] "GET http://www.ya.ru:80/ HTTP/1.0" 200 2327 "-" "Mozilla/4.0 (compatible; Synapse)" (this one fetched the home page, see below) 83.20.184.159 - - [02/Feb/2011:10:43:04 +1100] "GET / HTTP/1.1" 403 287 "-" "-" (requests w/ no referer (sic) and no browser ("-" "-") are denied here) 217.174.232.11 - - [03/Feb/2011:20:31:16 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)" 88.250.12.104 - - [03/Feb/2011:20:36:45 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)" (accepted requests, this static / page always serves 2327 bytes) 109.61.188.165 - - [05/Feb/2011:20:46:04 +1100] "GET http://www.yahoo.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 84.127.236.75 - - [06/Feb/2011:10:25:53 +1100] "GET http://www.ebay.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" (forbidden browser strings &/or IP addresses in $apachedir/access.conf) 91.195.136.10 - - [07/Feb/2011:02:33:55 +1100] "GET http://images.google.com/ HTTP/1.1" 200 2327 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)" Oh look, one just like yours, but with an acceptable browser string .. so it got the homepage, attempted proxying request being just ignored. cheers, Ian