Forum Moderators: DixonJones
61.159.253.175 - - [05/Feb/2003:15:11:34 -0500] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3852 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
61.159.253.175 - - [05/Feb/2003:15:11:35 -0500] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3852 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
The "sciencedirect.com" URL has nothing to do with my URL or any part of our domain. In fact it is a portal for accessing scientific journal articles. Most of these sites grant access based on your ip address, so I think that someone is using our ip addresses as a proxy to get access. Now here is the catch, I'm running apache 2.0 on Redhat 8.0 and I've commented out all of the proxy module lines in httpd.conf and restarted apache, but they still get through! I tried simulating this using telnet, but this is what I get:
192.168.0.1 - - [06/Feb/2003:13:28:40 -0500] "GET http://www.sciencedirect.com/ HTTP/1.1" 400 306 "-" "-"
Notice the 400 response and the much smaller request size. So I'm going out of my mind trying figure out what their doing and how to block these requests. If anyone has a clue as to what is going on and how to stop it, it would be much appreciated and would restore what is left of my sanity.
that's really quite crazy. but your webserver gave a 200 (ok) to that request. maybe the apache 2.0 is not that relyable?
I'm pretty sure that apache is reliable...more likely that the person admining is not so reliable ;)
I was hoping that someone here would windup being an apache guru and would recognize the problem. I have a hunch that it is one of the other dynamically loaded or compiled apache modules, but I'm not sure which one.
Even so, I still can't figure out how one would go about even sending a request that looks like that. I mean the log looks like it came from a browser(Internet Explorer 5). But how would you even type that in as a URL in a web browser? [my.ip.address?www.some.random.address?...]
GET [domain_here.com...] HTTP/1.1
Usually these type or entries (in my experience) indicate one of two things :
1) log spamming (hoping you will look at the URL), not the referrer spamming type.
2) someone looking for open proxies
As to why your web server responded with a 200 code, that is a bit odd. Maybe the machine you're on is an open proxy, but I don't have anything to back that up, as I don't run nor have access to an open proxy to see the response code for such requests.
I lean more towards someone looking for proxies. But what caught my eye was the URL of the site they requested. It seemed odd. I checked out the site and put two and two together. If you can proxy through a universities ip address, you can access sites that validate by users ip address (does users ip block belong to a known subscriber). I guess from there you could grab an authentication cookie and continue your nefarious deeds without having to use the proxy anymore...very naughty indeed.
Kidding aside, the thought of my machine being used as a proxy is upsetting. I commented out all of the mod_proxy lines in the httpd.conf file and the entire <ifModule mod_proxy.c> code block. I would rather not have to add individual ip addresses to my iptables file. Anything I missed?
I can't answer your root question, but here's a band-aid (requires mod_rewrite):
RewriteEngine on
RewriteRule ^/?http:// - [F]
HTH, Jim
Seriously,
Thanks Much
