I noticed in the log that I've been getting a small number of hits. It's a fair bet that these are up to no good.

Those that aren't my own accesses seem to be coming mostly from overseas - Korea seems a popular source.

What struck me as strange is the form that the GETs take. They consist of full paths (including http:) to other web sites, which tend to be popular ones.

Examples:

219.135.164.30 - - [20/Dec/2005:18:52:30 -0800] "GET [abcseek.info...] HTTP/1.1" 40
4 341 "-" ""
219.135.164.30 - - [20/Dec/2005:19:22:50 -0800] "GET [abcseek.info...] HTTP/1.1" 40
4 341 "-" ""
211.59.25.199 - - [20/Dec/2005:21:59:52 -0800] "GET [intel.com...] HTTP/1.1" 403 3931 "-" "Mozilla
/4.0 (compatible; MSIE 4.01; Windows 98)"
203.228.37.221 - - [21/Dec/2005:04:26:06 -0800] "GET [intel.com...] HTTP/1.1" 403 3931 "-" "Mozill
a/4.0 (compatible; MSIE 4.01; Windows 98)"

Am I correct in assuming that these are some kind of hacker robots probing for proxy servers? Or is my Apache server, in fact, acting as a proxy server when given these mal-formed paths? (By design or by error?)

I notice that the server returned 404 for the first two in the examples above, and 403 for the second two.

Hopefully, this is obvious to most here and I'll get a quick reply. I'm a bit rusty, as I haven't operated a website in years (last Apache version I used as 1.4) and so I'm in the process of getting back up to speed both in terms of server functionality and features as well as what exploit attempts I might face.

I'm turning off the port forwarding for now, as I really had no reason to have it on, other than to test that I know how to set it up. I'll be running a site at a hosting company, but it's useful to be able expose a test machine when working with others on a site, etc.

Anyone know what these are, and what potential danger they might pose? I think I can turn them off pretty easily with a URL pattern in my firewall. (Netscreen).