Log message

I always recieve this log message...what does this mean?

219.68.94.176 - - [29/Mar/2006:03:02:29 -0500] "GET http://www.hinet.net/ HTTP/1.1" 200 1456
218.171.153.62 - - [29/Mar/2006:04:11:39 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
218.171.149.166 - - [29/Mar/2006:08:56:49 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
218.171.153.62 - - [29/Mar/2006:09:00:56 -0500] "CONNECT smtp.pchome.com.tw:25 HTTP/1.0" 405 326
operation1611Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

avinthmCommented:
i think it is tring to connect to some smtp host ie smtp.pchome.com
you must have deployed an application which looks up this smtp host
0
operation1611Author Commented:
i just finished install the apache. havent insert the website yet...just a succesfull apache start. is they try to hack me?
0
avinthmCommented:
whats the server you have installed ?
> hack me ?
no way....
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

operation1611Author Commented:
i just use my intel pc to install the apache...and make it visible to public...that's all. i havent place any website yet...only public can see 'Test Page for Apache Installation'
0
caterham_wwwCommented:
> "GET http://www.hinet.net/ HTTP/1.1" 200

Do you have an open forward proxy? ProxyRequests on?

If you don't need mod_proxy, disable the module.
0
operation1611Author Commented:
i didnt enable any proxy...i just use standart httpd.conf and php.ini configuration
0
periwinkleCommented:
The second to last number is a status code. Status code 200 is a success code;  however, 405 is Method Not Allowed, so those lines can be not worried about.  For a full list of status codes, see page 39 of the RFP for the httpd protocol at  http://www.w3.org/Protocols/rfc2616/rfc2616.txt  ).

Looking up the IP addresses in your log file:

219.68.94.176 PTR record: 219-68-94-176.adsl.dynamic.giga.net.tw
218.171.153.62 PTR record: 218-171-153-62.dynamic.hinet.net
218.171.149.166 PTR record: 218-171-149-166.dynamic.hinet.net
218.171.153.62 PTR record: 218-171-153-62.dynamic.hinet.net

Unless you are located in taiwan, this would make me suspect that someone probing your site for vulnerabilities.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
periwinkleCommented:
P.S. I would review the configuration files to make certain that mod_proxy isn't enabled;  information on mod_proxy can be found here:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
0
operation1611Author Commented:
so that mean...another user use/try to find hole in my server to route another connection?...hmm this is bad...by the way i didnt see any proxy enable either in httpd.conf or php.ini...

by the way how they do that?...because normally browser only use GET.
0
periwinkleCommented:
It's not so bad - they are failing as the CONNECT isn't a protocol that is supported by your web server, so you don't have to worry about it.

What is more interesting is the GET statement. Basically, any program that uses the httpd 1.1 protocol can use GET - which means you could make a specialized program that looks for vulnerabilities.

What else has ip address 219.68.94.176 attempted in your logs?  The full list would be interesting.

0
operation1611Author Commented:
only that access_log....

how they change from GET to another method like CONNECT...this can be done at browser?
0
periwinkleCommented:
Apparently, someone is attempting to use your server as an SMTP (e-mail) proxy;  in your case, they were not successful.  It really doesn't matter HOW they are attempting to do it;  your server is blocking it.

I googled up the following discussion that might be useful:

http://www.webmasterworld.com/forum92/5421.htm

This explains how the access is shut off.





0
periwinkleCommented:
You can read more about what they are attempting here:

http://www.dsbl.org/relay-methods

From that page:

HTTP CONNECT relaying
The HTTP protocol has a provision for arbitrary TCP proxying, ala SOCKS. A spammer connects to an insecure HTTP server and issues:

>>> CONNECT mx.victim.com:25 HTTP/1.0
>>>
<<< 220 victim.com ESMTP

These often occur on ports 80, 443, 1080, 3128 and 8080.
0
periwinkleCommented:
Here's some more information:

http://bugs.php.net/bug.php?id=19113

You can achieve this just by telnet.

0
periwinkleCommented:
And here's another one:

http://www.us.sorbs.net/faq/proxy.shtml
0
operation1611Author Commented:
thank you for the guidance...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.