2

I have setup a nginx server literally an hour ago. It is open to the world but is not in production. There is no CNAME or other DNS records associated with the server's IP address yet.

In the acceess.log I see the following:

163.172.7.162 - - [18/Jan/2017:00:51:23 +0000] "GET http://proxyjudge.info/ HTTP/1.1" 400 270 "-" "Mozilla/5.0 (Win
dows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)"
163.172.7.162 - - [18/Jan/2017:00:51:48 +0000] "\x04\x01\x00P\xC62\x83\x9C0\x00" 400 172 "-" "-"
163.172.7.162 - - [18/Jan/2017:00:51:48 +0000] "\x04\x01\x00P\xC62\x83\x9C0\x00" 400 172 "-" "-"
163.172.7.162 - - [18/Jan/2017:00:51:48 +0000] "\x05\x01\x00" 400 172 "-" "-"

I have a couple of questions:

  • What is the purpose of proxyjudge.info's probing of my server? I took a look at their web site but I cannot figure out their intention. I think I would like to find out if it is malicious or not.

  • After first hit it sent several request to the url like \x05\x01\x00. What can be discovered from this request?

I fail to find any substantial information via google search. Based ion http://mxtoolbox.com/ the source IP is not blacklisted. The bigger issue for me is that I don't I know how to judge if a certain traffic to my server is risky or not.

Anthony Kong
  • 209
  • 2
  • 7
  • 1
    I would say that *all* traffic to your server is risky. Your better question is if their actions pose a specified risk to your server. – schroeder Jan 18 '17 at 07:47

1 Answers1

2

It is testing if your server is configured as HTTP proxy. If you open the proxyjudge.info website, they also tell you this.

Since your server returns Error 400 to the request, everything seems to be fine.

Josef
  • 5,903
  • 25
  • 33