In freebsd-questions Digest, Vol 353, Issue 5, Message: 21 On Wed, 09 Mar 2011 15:02:57 -0500 pe...@vfemail.net wrote: > At 03:06 PM 3/9/2011, Robert Bonomi wrote: > >> > >> I was looking at my Web log this morning, and a bunch of nonsensical > >> entries like these caught my attention: > >> > >> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET > >> http://www.yahoo.com/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > > >> MSIE 6.0; Windows NT 5.1; SV1)" > >> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET > >> http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 > >> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > >> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET > >> http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 > >> HTTP/1.0" 404 3485 "http://www.wingclips.com/"; "Mozilla/4.0 (compatible; > >> > MSIE 6.0; Windows NT 5.1; SV1)" > >> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET > >> http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 > >> "http://www.cashsoldier.com/VerifyerLevel.php"; "Mozilla/4.0 (compatible; > >> MSIE 6.0; Windows NT 5.1; SV1)" > >> > >> Is my FreeBSD box serving as some kind of Web proxy? > > > >Your box is _not_ doing the proxying. that's why it's signalling errors > >for those requests. > > > >The perpetrators are _hoping_ you are running a misconfigured proxying > >front- > >end. > > Does this entry change your conclusion: > > 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET > http://images.google.com/ HTTP/1.1" 200 13134 "-" "-"
No, Robert is right. Note that the first four you listed were all HTTP/1.0 requests. The ones with anything after the last '/' are 404 (page not found) except the last. Not sure about that 301, do you have a proxyheader.php? The more recent one is HTTP/1.1 with nothing after the last / so the http://images.google.com is ignored, and I expect you may find that your home page (ie requests for just '/') serve up 13134 bytes? Ar least that's what happens here with apache 1.3; here's a few examples from a seldom-accessed vhost where lots of requests are bogus, usually appearing across multiple vhosts (ie, from a sweep over IP addresses) 24.106.193.92 - - [01/Feb/2011:23:05:21 +1100] "GET http://www.ya.ru:80/ HTTP/1.0" 200 2327 "-" "Mozilla/4.0 (compatible; Synapse)" (this one fetched the home page, see below) 83.20.184.159 - - [02/Feb/2011:10:43:04 +1100] "GET / HTTP/1.1" 403 287 "-" "-" (requests w/ no referer (sic) and no browser ("-" "-") are denied here) 217.174.232.11 - - [03/Feb/2011:20:31:16 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)" 88.250.12.104 - - [03/Feb/2011:20:36:45 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)" (accepted requests, this static / page always serves 2327 bytes) 109.61.188.165 - - [05/Feb/2011:20:46:04 +1100] "GET http://www.yahoo.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 84.127.236.75 - - [06/Feb/2011:10:25:53 +1100] "GET http://www.ebay.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" (forbidden browser strings &/or IP addresses in $apachedir/access.conf) 91.195.136.10 - - [07/Feb/2011:02:33:55 +1100] "GET http://images.google.com/ HTTP/1.1" 200 2327 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)" Oh look, one just like yours, but with an acceptable browser string .. so it got the homepage, attempted proxying request being just ignored. cheers, Ian _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
