Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 1415 invoked from network); 13 Mar 2011 12:07:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 Mar 2011 12:07:11 -0000 Received: (qmail 96982 invoked by uid 500); 13 Mar 2011 12:07:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 96939 invoked by uid 500); 13 Mar 2011 12:07:07 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 96931 invoked by uid 99); 13 Mar 2011 12:07:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Mar 2011 12:07:07 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [83.160.57.126] (HELO xs.adaptr.nl) (83.160.57.126) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Mar 2011 12:07:01 +0000 Received: from [10.10.10.202] (unknown [10.10.10.202]) by xs.adaptr.nl (Postfix) with ESMTPSA id F35F61D8082 for ; Sun, 13 Mar 2011 13:06:37 +0100 (CET) Message-ID: <4D7CB34D.2020008@adaptr.nl> Date: Sun, 13 Mar 2011 13:06:37 +0100 From: Jeroen Geilman User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101209 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: users@httpd.apache.org References: <20110310141601.15716yp3buskzpc0@www.twistfare.be> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] suspicious proxy(?) URLs in logs On 03/13/2011 01:53 AM, Eric Covener wrote: > On Thu, Mar 10, 2011 at 8:16 AM, Rob De Langhe > wrote: > >> hi, >> >> while going occasionally through the access logs of a 2.2.17 Apache server, >> I noticed some URLs of remote locations where my server would have made a >> GET for ?! >> >> an example: >> >> 194.0.122.134 - - [10/Mar/2011:02:26:55 +0100] "GET http://www.ebay.com/ >> HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" >> >> So the status code = 200 indicates that the server allowed that URL >> "http://www.ebay.com" for the client 194.0.122.134 ... >> > This doesn't necessarily mean it was proxied. Requests of this type > will just be served from your default (first-listed) vhost for > whatever iface it was received on. > ...and was received by an application that accepts wildcard requests. Any existing (and non-matching) content will simply 404 it. Whether or not the application that blindly accepted it will try to retrieve the URL is a legitimate concern, but it would mean he is already running very dubious software. -- J. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org