Re: Strange Web Server Log Entries

[infolookup () gmail com]

I think you should do an audit of our server to make sure you are not open to any attacks.

Try nessus, and nmap and a few other tools to make sure you are not vulnerable.
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Sean Malloy <spinelli85 () gmail com>

Date: Thu, 6 Dec 2007 15:24:24 
To:security-basics () securityfocus com
Subject: Strange Web Server Log Entries


Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET http://www.microsoft.com/ HTTP/1.0" 200 2770
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2903
61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I interpret it as "client
65.117.101.194 successfully connected to my webserver and requested the page
http://www.microsoft.com";. It looks like someone is trying to bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages. 
-- 
Sean Malloy
Home Page: www.catgrepsort.com