what webserver are you running anchordesk?

both of those IPs are from china... two different proviences, though... if you don't need or want chinese traffic, block the entire 61.*.*.* block... i know there are others in there, too but that will get you a start...

The webserver is Apache 1.3.26.

I just took it for granted that I could duplicate any entry found in my logs, but after trying, this one has me stumped.

the only thing i can think of is some kind of proxying (like you asked about) or some sort of forwarding...

what does [your.site...] do?

i can`t say that i`ve seen or heard of this other than when someone has the proxy modules set up... however, most of those were of the CONNECT [another.site...] format instead of a GET...

what modules do you have loading?

oh, yeah... what platform are you running it on?

whoops, forgot to add... why not upgrade to 1.3.27 or 1.3.28? .28 is the latest and is a few weeks old...

hey? maybe nothing to worry about, either... it looks like your system only sent 417 bytes and those two sites are much larger than that...

Seeing a 200 does not mean you can be used as a proxy. Sample from one of our logs :

61.140.188.224 - - [07/Aug/2003:23:07:00 -0700] "GET [alltheweb.com...] HTTP/1.1" 200 4446 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

The home page on that site is 4446 bytes, so they did not end up at alltheweb, they simply got our home page.

You gave me a clue I was not looking at ... the 417 is the size of my root index.html, so true, what was returned was my index.html file.

I've seen CONNECT instead of GET used and the server always returns a 400 (Bad Request). Tried accessing with my browser various ways (i.e. [mysite.com...] ... [mysite.com...] and could not duplicate the entry.

I'm just baffled as to what passed to the server to record a log entry like that. Was it a random probing by a script or human targeting just my domain? Maybe I'm wrong, but I wonder if the user-agent was spoofed.

-anchordesk

Was it a random probing by a script or human targeting just my domain? Maybe I'm wrong, but I wonder if the user-agent was spoofed.

Most likely a script scanning IP ranges for open proxies. User-Agent is spoofed.

Think I've seen most of those variants. This will take care of 'em:

RewriteCond %{THE_REQUEST} .*alltheweb.* [NC,OR]
RewriteCond %{THE_REQUEST} .*ebay.* [NC,OR]
RewriteCond %{THE_REQUEST} .*google.* [NC,OR]
RewriteCond %{THE_REQUEST} .*intel.* [NC,OR]
RewriteCond %{THE_REQUEST} .*nba.* [NC,OR]
RewriteCond %{THE_REQUEST} .*sumthin.* [NC,OR]
RewriteCond %{THE_REQUEST} .*tencent.* [NC,OR]
RewriteCond %{THE_REQUEST} .*watch-info.* [NC,OR]
RewriteCond %{THE_REQUEST} .*yahoo.* [NC,OR]

Thanks wkitty42, marcs and FineWare. I like the idea of the RewriteCond. Would the following work also? Or do I need to be cautious of all protocols?

RewriteCond %{THE_REQUEST} .http.* [NC,OR]

Also, is every IP starting with 61.*.*.* coming from China?

I'm off to finish a project, but I'll throw this in... I use this:

Second line is your domain name
Third line is your IP address (omit the line if on shared IP)

RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST}!^(GET¦HEAD¦POST)\ /?http://(www\.)?mydomain\.com/ [NC]
RewriteCond %{THE_REQUEST}!^(GET¦HEAD¦POST)\ /?http://192\.168.0\.1/ [NC]
RewriteRule .* - [F]

Second line is your domain name.
Third line is your IP address (omit the line if on shared IP).
Use "\" to escape all literal periods.
Change any "¦" characters to solid vertical pipe characters before use!

Jim

Also, is every IP starting with 61.*.*.* coming from China?

NO.
Won't be at home computer till some hours later.
I recall some Oceanic IP's in the 61.
Seems to me like it was only a few and perhaps
61.0.0.0 to 61.8.0.0
I'll check later

Don

Here's what I have.
It's possible there are mor of which I'm just not aware of.

61.8.0.0 - 61.8.31.255 (ZIPAUST-AU) [61.8 AU];
61.9.128.0 - 61.9.255.255 AU

I would not include .http.* in there, because it would trigger on every web page requested. "HTTP/1.x" is the end of almost every request. If you're looking to trap some specific methods, recommend using:

RewriteCond %{THE_REQUEST} ^CHECKIN.* [OR]
RewriteCond %{THE_REQUEST} ^CHECKOUT.* [OR]
RewriteCond %{THE_REQUEST} ^CONNECT.* [OR]
RewriteCond %{THE_REQUEST} ^DELETE.* [OR]
RewriteCond %{THE_REQUEST} ^LINK.* [OR]
RewriteCond %{THE_REQUEST} ^OPTIONS.* [OR]
RewriteCond %{THE_REQUEST} ^POST.* [OR]
RewriteCond %{THE_REQUEST} ^PROPFIND.* [OR]
RewriteCond %{THE_REQUEST} ^PUT.* [OR]
RewriteCond %{THE_REQUEST} ^SEARCH.* [OR]
RewriteCond %{THE_REQUEST} ^SHOWMETHOD.* [OR]
RewriteCond %{THE_REQUEST} ^SPACEJUMP.* [OR]
RewriteCond %{THE_REQUEST} ^TEXTSEARCH.* [OR]
RewriteCond %{THE_REQUEST} ^TRACE.* [OR]
RewriteCond %{THE_REQUEST} ^UNLINK.* [OR]

...or the like. I don't trap GETs or HEADs for obvious reasons.

Thanks wilderness for your answer.

And thanks Fineware. I'm going to impliment a couple of those rewriteconds for reasons more than justy my prior concern.

I have found that recently a spammer has been using a mod_proxy configuration,that was meant to allow for an easier transition to a new naming scheme, as well as changes to a backend software) as a spam relay.
Here are the following access logs from our website below showing that IP 207.215.127.248 is attempting a DOS attack on Microsoft Corp. Server via a proxy scan of our server.
The spammer has been using HTTP POST requests to send these messages with POST [mailserver:25...] HTTP/1.1 With some research it looks like this is an automated process including the initial scan stage.
207.215.127.248 - - [14/Feb/2003:17:22:01 -0500] "CONNECT maila.microsoft.com:25 HTTP/1.0" 200 14402 "-" "-"
207.215.127.248 - - [14/Feb/2003:17:22:02 -0500] "CONNECT maila.microsoft.com:25 HTTP/1.0" 200 14402 "-" "-"
207.215.127.248 - - [14/Feb/2003:17:22:04 -0500] "CONNECT maila.microsoft.com:25 HTTP/1.0" 200 14402 "-" "-"

Since our apache server does not proxy, I then fowarded all our log entries that contained this to Microsoft Security. They were very interested in this and ask us to foward the logs to them as they come in.

I had also found that ips that have been banned from servers, hunt to proxy through to connect to these sites like CNN.com, yahoo.com etc through proxy.

Finewares,

>I would not include .http.* in there, because it would trigger on every web page requested. "HTTP/1.x" is the end of almost every request

The code I posted has been working well for a long time.

While it is true that every request will trigger the code, take a look at the second and third lines. These lines use exclusionary regex patterns, beginning with "!" and act to allow access to resources on your server only. Requests containing references to other hosts are served with a 403-Forbidden response. Also, note that all patterns are start-anchored, so the end of the request where the protocol is specified is of no concern.

RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST}!^(GET¦HEAD¦POST)\ /?http://(www\.)?mydomain\.com/ [NC]
RewriteCond %{THE_REQUEST}!^(GET¦HEAD¦POST)\ /?http://192\.168.0\.1/ [NC]
RewriteRule .* - [F]

Regarding the expansion of the scope of this thread to include HTTP methods, I reject methods other than GET, HEAD, and POST using

<Files *>
<LimitExcept GET POST>
deny from all
</LimitExcept>
</Files>

(GET includes HEAD)

Jim

I have a lot of these entries (especially intel) in my logs since at least two years. I've always thought, it'd be some nimda like request. But after finding out last year that a couple of chinese people used the (damn) open proxy of my webstar server to surf pron pages and political forums (what a mix) for a month, i'm pretty sure, the mentioned requests are open proxy checks.

Thanks everyone for the input. I've learned a lot since asking my question.

- anchordesk