Re: GET in Access Log File

[Tony Barry <tony () no-bull co nz>]

Thank you, your diagnosis was spot on so although they are trying the
server is just dishing up the index page. Just as a bit of extra info
I'm using <LimitExcept> to control methods.

Many thanks for the help from all.


On Tue, 2005-10-25 at 09:53 -0500, S.A.B.R.O. Net Security wrote:
> It appears someone is indeed attemping to use your server as an open 
> proxy via the HTTP GET tunnel trick.
>
> This is also common with POST, CONNECT, etc....scan your logs for these 
> types of attempts as well.
>
> What's interesting is even though they received a status code of 200 
> (Success) in your examples, the two different sites they
> attempted to access both returned 1302 bytes....maybe this is your 
> server feeding them your index.html and not the external site's page?
>
> Try using the following :
>
> telnet <your server> 80
> then type CONNECT some.site.com:80 HTTP/1.0<enter><enter>
>
> If it returns anything other then your index.html or an error status try 
> checking out the following :
>
> Check out the Limit option in httpd.conf:
>
>         <Limit GET POST>
>                 .
>                 .
>                 .
>         </Limit>
>
> The above, when placed within a <directory /path/to/directory>....
> </directory> section,  will only allow GET and POST requests to that
> directory and it's sub-directories. Anything else will give the 405(Method
> Not Allowed)  response that you see for the CONNECT request.
>
>
> (Portions snagged from other sources.....kudos to the original authors).
-- 
Tony Barry

No Bull Services
PO Box 51528
Pakuranga
Auckland

021 413642
09 5768552

http://www.NO-BULL.CO.NZ
*************************************************************************

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the addressee/s.
If you have received this e-mail in error please notify the sender.

*************************************************************************