?
Solved

Log message

Posted on 2006-03-29
16
Medium Priority
?
342 Views
Last Modified: 2010-03-04
I always recieve this log message...what does this mean?

219.68.94.176 - - [29/Mar/2006:03:02:29 -0500] "GET http://www.hinet.net/ HTTP/1.1" 200 1456
218.171.153.62 - - [29/Mar/2006:04:11:39 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
218.171.149.166 - - [29/Mar/2006:08:56:49 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
218.171.153.62 - - [29/Mar/2006:09:00:56 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
0
Comment
Question by:operation1611
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 6

Expert Comment

by:avinthm
ID: 16320049
i think it is tring to connect to some smtp host ie smtp.pchome.com
you must have deployed an application which looks up this smtp host
0
 

Author Comment

by:operation1611
ID: 16320077
i just finished install the apache. havent insert the website yet...just a succesfull apache start. is they try to hack me?
0
 
LVL 6

Expert Comment

by:avinthm
ID: 16320158
whats the server you have installed ?
> hack me ?
no way....
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:operation1611
ID: 16320209
i just use my intel pc to install the apache...and make it visible to public...that's all. i havent place any website yet...only public can see 'Test Page for Apache Installation'
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 16320541
> "GET http://www.hinet.net/ HTTP/1.1" 200

Do you have an open forward proxy? ProxyRequests on?

If you don't need mod_proxy, disable the module.
0
 

Author Comment

by:operation1611
ID: 16321323
i didnt enable any proxy...i just use standart httpd.conf and php.ini configuration
0
 
LVL 15

Accepted Solution

by:
periwinkle earned 500 total points
ID: 16321717
The second to last number is a status code. Status code 200 is a success code;  however, 405 is Method Not Allowed, so those lines can be not worried about.  For a full list of status codes, see page 39 of the RFP for the httpd protocol at  http://www.w3.org/Protocols/rfc2616/rfc2616.txt  ).

Looking up the IP addresses in your log file:

219.68.94.176 PTR record: 219-68-94-176.adsl.dynamic.giga.net.tw
218.171.153.62 PTR record: 218-171-153-62.dynamic.hinet.net
218.171.149.166 PTR record: 218-171-149-166.dynamic.hinet.net
218.171.153.62 PTR record: 218-171-153-62.dynamic.hinet.net

Unless you are located in taiwan, this would make me suspect that someone probing your site for vulnerabilities.

0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16321733
P.S. I would review the configuration files to make certain that mod_proxy isn't enabled;  information on mod_proxy can be found here:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
0
 

Author Comment

by:operation1611
ID: 16321874
so that mean...another user use/try to find hole in my server to route another connection?...hmm this is bad...by the way i didnt see any proxy enable either in httpd.conf or php.ini...

by the way how they do that?...because normally browser only use GET.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16321926
It's not so bad - they are failing as the CONNECT isn't a protocol that is supported by your web server, so you don't have to worry about it.

What is more interesting is the GET statement. Basically, any program that uses the httpd 1.1 protocol can use GET - which means you could make a specialized program that looks for vulnerabilities.

What else has ip address 219.68.94.176 attempted in your logs?  The full list would be interesting.

0
 

Author Comment

by:operation1611
ID: 16322139
only that access_log....

how they change from GET to another method like CONNECT...this can be done at browser?
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16322256
Apparently, someone is attempting to use your server as an SMTP (e-mail) proxy;  in your case, they were not successful.  It really doesn't matter HOW they are attempting to do it;  your server is blocking it.

I googled up the following discussion that might be useful:

http://www.webmasterworld.com/forum92/5421.htm

This explains how the access is shut off.





0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16322286
You can read more about what they are attempting here:

http://www.dsbl.org/relay-methods

From that page:

HTTP CONNECT relaying
The HTTP protocol has a provision for arbitrary TCP proxying, ala SOCKS. A spammer connects to an insecure HTTP server and issues:

>>> CONNECT mx.victim.com:25 HTTP/1.0
>>>
<<< 220 victim.com ESMTP

These often occur on ports 80, 443, 1080, 3128 and 8080.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16322308
Here's some more information:

http://bugs.php.net/bug.php?id=19113

You can achieve this just by telnet.

0
 
LVL 15

Expert Comment

by:periwinkle
ID: 16322320
And here's another one:

http://www.us.sorbs.net/faq/proxy.shtml
0
 

Author Comment

by:operation1611
ID: 16322362
thank you for the guidance...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question