Server getting probed: why can I see successful GET requests to other sites?

Question

I put up my site yesterday and this morning I saw a lot of requests in the logs. I have seen this before, and immediately could tell it was someone/something probing the server. Most of the requests are attempts to potential admin pages:

220.128.237.100 (-) - - [23/Jan/2019:05:30:45 +0000] "GET /myadmin2/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:45 +0000] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:46 +0000] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:46 +0000] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:47 +0000] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:48 +0000] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:48 +0000] "GET /phpMyAdminold/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
220.128.237.100 (-) - - [23/Jan/2019:05:30:48 +0000] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"

But I also saw a number of requests to other websites, which is confusing.

120.39.53.147 (-) - - [23/Jan/2019:08:27:43 +0000] "GET / HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
106.91.209.210 (-) - - [23/Jan/2019:08:27:44 +0000] "CONNECT www.baidu.com HTTP/1.1" 400 226 "-" "-"
124.88.64.211 (-) - - [23/Jan/2019:08:27:45 +0000] "GET http://api.ipify.org/ HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
175.152.34.125 (-) - - [23/Jan/2019:08:27:47 +0000] "GET http://www.123cha.com HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36"
124.88.64.218 (-) - - [23/Jan/2019:08:27:54 +0000] "CONNECT www.voanews.com:443 HTTP/1.1" 405 178 "-" "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3"
111.162.158.211 (-) - - [23/Jan/2019:08:27:54 +0000] "GET http://www.123cha.com/ HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
36.5.183.112 (-) - - [23/Jan/2019:08:27:55 +0000] "GET http://boxun.com/ HTTP/1.1" 200 15919 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
36.32.3.148 (-) - - [23/Jan/2019:08:27:57 +0000] "CONNECT cn.bing.com:443 HTTP/1.1" 405 178 "-" "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3"
218.62.245.85 (-) - - [23/Jan/2019:08:27:58 +0000] "GET http://www.ip.cn/ HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
221.13.12.181 (-) - - [23/Jan/2019:08:27:59 +0000] "GET http://www.wujieliulan.com/ HTTP/1.1" 200 15919 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
125.76.60.255 (-) - - [23/Jan/2019:08:28:01 +0000] "GET http://www.rfa.org/english/ HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
123.158.61.200 (-) - - [23/Jan/2019:08:28:01 +0000] "GET http://www.minghui.org/ HTTP/1.1" 200 15919 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
71.6.232.4 (-) - - [23/Jan/2019:08:41:58 +0000] "GET / HTTP/1.1" 200 27702 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
104.131.146.83 (-) - - [23/Jan/2019:08:54:34 +0000] "GET / HTTP/1.1" 200 27702 "-" "Mozilla/5.0 zgrab/0.x"
127.0.0.1 (-) - - [23/Jan/2019:09:25:08 +0000] "GET / HTTP/1.1" 200 27702 "-" "Python-urllib/2.7"
194.74.244.130 (-) - - [23/Jan/2019:09:25:41 +0000] "GET / HTTP/1.1" 200 33618 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

Why would these be getting logged in my logs? If it is a GET request aimed at a wholly separate site, why did it even reach my server? What am I missing?

score 8 · Accepted Answer · answered Jan 23 '19 at 09:58

... GET /phpMyadmin_bak/index.php ... 404 ...

These are requests which look for vulnerable installations of typical software (phpMyAdmin in this case). Nothing to worry about if you don't run such software in the first place - and the response code 404 indicates that you don't. But make sure that all the software you use is current and configured securely (like no default and no simple passwords) and better remove any software you don't actually need.

... CONNECT www.baidu.com HTTP/1.1 ... 400 ... ... GET htxp://www.minghui.org/ .... 200 ...

These are attempts to use your web server as an open proxy to reach other sites. Also, nothing to worry about if your server is not configured as a proxy. It cannot be seen from the logs though how your server is configured. But the response code 400 to the CONNECT method suggests that CONNECT is not supported. The code 200 to the plain HTTP proxy requests might mean you have an open proxy although it might also be some default response send by your own server.

In any case, this is the typical "line noise" you get on the internet, i.e. attempts to misuse your server or exploit it. You have to be able to securely handle it since you cannot really prevent it.

How does the attacker benefit from using my server as an open proxy? I assume it would allow them to spam other sites on my behalf? — turnip, Jan 23 '19 at 10:04
that's a question not a comment, but yes it lets them spam & a whole variety of things largely about defeating ip-blocking or hiding their source. — pacifist, Jan 23 '19 at 10:27
@turnip By turning your web server into an open proxy, the attacker can hide his/her real identity and can still carry on with the scan attempts for reconnaissance. As Steffen rightly pointed out, this noise is pretty normal as there are tons of bots out there which are automatically configured to carry out such actions. Only way to stay safe is to keep your server updated with latest patches and also having some sort of antivirus protection which can detect for any malicious activities. — CyberDude, Jan 23 '19 at 10:35

score 1 · Answer 2 · answered Mar 29 '21 at 19:05

Assuming you are not using your server as a proxy, these are likely common attempts of proxy abuse regularly seen on internet facing web servers.

The requests that received a status code of 200 probably returned your index page. You can check this using telnet or curl.

Suppose that:

your sever name is site.example.org;
third parties are trying to connect to news.example.net and search.example.com;

your /index.html file contains:

  <!DOCTYPE html>
  <html>
  <head><title>It works!</title></head>
  <body><h1>It works!</h1></body>
  </html>

Using curl, you can reconstruct the requests you received like so:

$ curl site.example.org --request-target http://news.example.net/
<!DOCTYPE html>
<html>
<head><title>It works!</title></head>
<body><h1>It works!</h1></body>
</html>

Using telnet, you can reconstruct the requests you received like so:

$ telnet site.example.org 80
> GET http://news.example.com/ HTTP/1.1
> Host: news.example.com
>
HTTP/1.1 200 OK
...
Content-Type: text/html
...

<!DOCTYPE html>
<html>
<head><title>It works!</title></head>
<body><h1>It works!</h1></body>
</html>

If you receive your index.html as a result, that means your server is not configured as a proxy and you should not worry about these requests.

If you actually receive the contents of news.example.com or news.example.net your web server is configured as a proxy. You can deactivate this by commenting any proxy on; lines on your Nginx configs or by disabling mod_proxy on your Apache configs.

Some interesting references about this:

Server getting probed: why can I see successful GET requests to other sites?

2 Answers2