Could this server log mean my server is being used as a proxy?

hacking nginx logging proxy

I came across the following entry in my access.log:

58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Normally when I see a full URL entry in my access.log I assume it is log spam with people trying to get me to access their site. These entries are normally followed with a 404 response.

The above entry is followed with a 200 'success' response! Doing some searching it would seem that this can occur when someone is trying to use your server as a proxy. This disturbed me more - especially because the URL in question has the word proxy in it.

Going to the site 'proxyproxys.com' (using hidemyass.com to protect my own identity), the site returns what appears to be some sort of 'proxy judge'

----------------------------------------
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5
HTTP_CONNECTION=close
REMOTE_PORT=56355

REMOTE_HOST=74.63.112.142
REMOTE_ADDR=74.63.112.142
----------------------------------------
CS_ProxyJudge Result=HIGH_ANONYMITY
----------------------------------------

Question: 1) does the 200 success mean that someone has been able to successfully use my server as a proxy? 2) are there other means of confirming if my server is being used as a proxy 3) can you refer me to documentation to help 'close up' my security gap if there is one.

Thanks.


An easy way to test this is to set your browser to use your webserver as its proxy. Any domain that points there will do or the raw IP address. Choose port 80 if it asks for a port.

If you can still browse the web and you see your browsing showing up in your access logs then yes, you're running an open proxy.


This happened to me too, found something interesting in docs for apache

My server is properly configured not to proxy, so why is Apache returning a 200 (Success) status code?

That status code indicates that Apache successfully sent a response to the client, but not necessarily that the response was retrieved from the foreign website.

RFC2616 section 5.1.2 mandates that Apache must accept requests with absolute URLs in the request-URI, even for non-proxy requests. This means that even when proxying is turned off, Apache will accept requests that look like proxy requests. But instead of retrieving the content from the foreign site, Apache will serve the content at the corresponding location on your website. Since the hostname probably doesn't match a name for your site, Apache will look for the content on your default host.

In the above example, since www.yahoo.com is obviously not a valid virtual host on your system, Apache will serve the homepage content from your default (virtual) host. The size of the response (1456 in the above example) can be compared to the size of the corresponding page on your default site to confirm that the response was served locally and no proxying was involved.

Since this seems to be a behavior required by the standard, i assume nginx is doing something similar. In my case, since it is returning my home page I think it is "failing successfully" hence the 200 code.


A 200 success response to a request just means that your webserver believes it served up a valid response to the given request. The request log entry you see just means that someone made an HTTP connection to your server and requested the (relative) url http://proxyproxys.com/.

This could happen if someone mistyped a url: e.g. if I'm browsing http://www.google.com/ and suddenly want to go to http://www.facebook.com, it's possible for me to forget to clear the URL bar in my browser and end up navigating to http://www.google.com/http://www.facebook.com. Google would then see a GET request for http://www.facebook.com in their logs. Typically, you'd serve up a 404 error in these cases, but there may be quirks in your configuration that means that 200 gets returned instead, for whatever reason. The easiest thing to do would be to test this yourself, against your own server. Navigate to http://[your-domain]/http://proxyproxys.com and see what gets generated in the access log.

I'd wager it's difficult to get a typical webserver like nginx to behave like a generic internet proxy, unless you specifically configure a script or other application to behave like that. There's nothing in your question that leads me to believe this is what's happened, but it's worth keeping an eye out for suspicious scripts / processes / configuration changes. If you have reasonable evidence to suspect your server has been tampered with, take it offline, wipe it and restore from backup.

Related

dovecot-lmtp does not exist
Laserfiche migration to Alfresco
Network shaping using `tc netem` doesn't seem to work
How do I prevent yum from updating a particular RPM?
SSD IOPS on linux, DIRECT much faster than buffered, fio
How to set mark on packet when forwarding it in nat prerouting table?
Can I run two different secure sites using the port 443 on the same server?
How do I disable the firewall on a single interface in Windows 7?
Mistakenly configured advanced audit policies; return to basic?
Finding out if an IP address is static or dynamic?
ssh_exchange_identification: Connection closed by remote host
How to use nginx PAM module?