From owner-freebsd-questions@FreeBSD.ORG Tue Jun 12 23:38:38 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A56416A468 for ; Tue, 12 Jun 2007 23:38:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 8371113C46A for ; Tue, 12 Jun 2007 23:38:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay8.apple.com (relay8.apple.com [17.128.113.38]) by mail-out3.apple.com (Postfix) with ESMTP id 08A3B8AB278; Tue, 12 Jun 2007 16:37:32 -0700 (PDT) Received: from relay8.apple.com (unknown [127.0.0.1]) by relay8.apple.com (Symantec Mail Security) with ESMTP id 5EBED400EC; Tue, 12 Jun 2007 16:38:38 -0700 (PDT) X-AuditID: 11807126-a0886bb00000081c-f0-466f2e7efa07 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay8.apple.com (Apple SCV relay) with ESMTP id 47AB040077; Tue, 12 Jun 2007 16:38:38 -0700 (PDT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Tue, 12 Jun 2007 16:38:37 -0700 To: bob@a1poweruser.com X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: Apache access log shows these attack requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:38:38 -0000 On Jun 12, 2007, at 2:58 PM, Bob wrote: > I all ready have Apache mod_proxy commented out in httpd.conf and > there is > no php stuff installed in system. Your logfile lines seemed to be oddly truncated, so it's a bit hard to tell, but it sure seemed like some of the requests you showed were getting 200 success responses. I assume you aren't IPs 89.196.37.169 or 122.124.129.55? The requests for AZ.php or azenv.php are trying to reference scripts used to control and "rate" lists of "anonymous" proxies that tend to run either on hacked systems or systems configured to permit the world to use the proxy (generally because of a lack of admin clue rather than by intent). See: http://web.freerk.com/proxyjudge/azenv.htm ...and: http://forum.my-proxy.com/index.php?topic=48.0 ...which actually lists this "http://pro_xy.t35.com/AZ.php" host... -- -Chuck