Apache access.log interpretation

networking linux apache-2.2 logging

Okay, well i can get that exact log message using the following python code

import urllib
proxies = {'http':'http://myapacheserevr'}
file_handle = urllib.urlopen('http://www.siasatema.com',proxies=proxies)

Which gives me the log entry

192.168.0.28 - - [18/Mar/2011:14:40:40 +0200] "GET http://www.siasatema.com HTTP/1.0" 200 453 "-" "Python-urllib/1.17"

Incidently all i get back from this is the contents of my default web page,

So, yes something is proxying through your webserver it's probably hackers looking for open, badly configured, proxies to connect to and abuse another site. To stop it set:- 

ProxyRequests Off

Incidently i can replicate the other one's by doing

$ nc ubuntuvm 80
telnet 64.12.244.203 80

Which gives:- 192.168.0.28 - - [18/Mar/2011:14:58:47 +0200] "telnet 64.12.244.203 80" 400 505 "-" "-"


Your server is a open proxy which is a security problem. Spammers can send mails through your server. Others can look at child pr0n from your server. Fix it asap.

Change 

ProxyRequests Off

,in proxy configuration, to fix it.


I do not think that your apache is an open proxy.

174.34.231.19 - - [18/Mar/2011:02:24:56 +0200] "GET http://www.siasatema.com HTTP/1.1" 200 469 "-" "Python-urllib/2.4"

Could be someone that is sending a HTTP request to your apache server using www.siasatema.com as hostname in the request. The apache server will serve in this case the default page (the first virtual host). You can configure apache to discard this kind of requests or to redirect to your main page.

187.35.50.61 - - [18/Mar/2011:01:28:20 +0200] "POST http://72.26.198.222:80/log/normal/ HTTP/1.0" 404 491 "-" "Octoshape-sua/1010120"
87.117.203.177 - - [18/Mar/2011:01:29:59 +0200] "CONNECT 64.12.244.203:80 HTTP/1.0" 405 556 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:29:59 +0200] "open 64.12.244.203 80" 400 506 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:30:04 +0200] "telnet 64.12.244.203 80" 400 506 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:30:09 +0200] "64.12.244.203 80" 400 301 "-" "-"

Those are unsuccessful requests that apache has discarded.


I believe the case is very simple: someone comes to your server, with correct IP but not with the name you expect, and gets the front page. This can be generated for example with the following:

A broadband user adds to his hosts file (/etc/hosts, or /windows/system32/drivers/etc/hosts) the entry

aa.bb.cc.dd rubbishrubbishrubbish.com

where aa.bb.cc.dd is your IP address, and after that uses any browser to access http://rubbishrubbishrubbish.com

You will see in the log file the access, and the "GET" for the / of rubbishrubbishrubbish.com. Typical apache installations are not interested in the hostname part of the URL, but just in the rest of it, thus returning your homepage.

Note also that your server can of course be accessed by using it's IP address or FQDN, or possible nicknames, which (unless forced explicitly) do not need to be known to the apache server. My home web server can be reached with multiple names over ipv4 and ipv6, but my server itself does not know any of those domain names.

The remaining question is: why? I guess the answer is: to test if you act as proxy. And you do not. And Python-urllib/2.4 has also been reported to be a BOT (but not always).

Related

Configure HP Lights-Out LO100i from the host operating system?
authorized_keys Environment Variables Not Setting Environment Variables
Will 100 Mbps client slow down 1000 Mbps network?
help using setspn and ktpass
Setting MX records with Registrar vs. Nameserver Host
Gigabit network with a 100 megabit firewall
Can a tmpfs become fragmented?
Best practices for placing SSL certificates for use in Apache 2?
Memory Usage by Bytes Top 10
Static file with HTTP headers?
TIME+ column in top command is inaccurate
Do I lose RAID array if I switch RAID controller