Our Apache 2.0.47 server is receiving a huge number of requests (average of a couple per second all day) for pages unrelated to the hosted websites. This was filling up the access_log and error_log with entries like:
22.214.171.124 - - [10/Sep/2004:08:46:52 -0700] "GET http://l35.login.scd.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=a-rt&passwd=316
HTTP/1.0" 200 18166 "-" "-"
I downloaded the latest patches (under Linux Mandrake 9.2) and the messages keep going but the server is now replying with a 403 (forbidden) message:
126.96.36.199 - - [10/Sep/2004:10:30:45 -0700] "GET http://dedicatedhits.com/search.php?username=aigo&keywords=Domain+Registration
HTTP/1.1" 403 373
The current error_log messages:
[Fri Sep 10 10:28:14 2004] [error] [client 188.8.131.52] client denied by server configuration: proxy:http://edit.europe.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=s_newman&passwd=mike
1) What is going on here? (Hacked...?)
2) With the 403 messages, the next entry is the return message size, usually about 0.5KB. Can I safely assume that the content is simply the "forbidden" message text - not some other stuff?
3) Can anything else be done to prevent the unwanted traffic?
4) Is more serious work needed - reinstalling?
The error_log has this "client denied by server configuration: proxy:" string. Is this related to the Apache settings? Should they be changed? Is the following the place to look/change:
RewriteRule ^proxy:.* - [F]
RewriteRule ^(.*\/perl\/.*)$ http://%
RewriteRule ^(.*\/cgi-perl\/.*)$ http://%
I have tried adding lines to the hosts.deny file, but the number of IP addresses is too large.
The firewall only allows Web and SSH through. The server is set to listen on 80 and 443.