10

I've got several log entries that refer to an external domain - mainly a Russian search engine (http://www.yandex.ru/)

How are these appearing in my logs?

82.146.58.53 - - [10/Jun/2010:00:49:11 +0000] "GET http://www.yandex.ru/ HTTP/1.0" 200 8859 "http://www.yandex.ru/" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.5.22 Version/10.50"`
82.146.59.209 - - [10/Jun/2010:01:54:10 +0000] "GET http://www.yandex.ru/ HTTP/1.0" 200 8859 "http://www.yandex.ru/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2"`
82.146.41.7 - - [10/Jun/2010:02:55:34 +0000] "GET http://www.yandex.ru/ HTTP/1.0" 200 8859 "http://www.yandex.ru/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1045 Safari/532.5"
125.45.109.166 - - [09/Jun/2010:11:04:17 +0000] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 1010 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Johan
  • 347
  • 5
  • 12

2 Answers2

8

The probes are by crackers looking for open proxies: some (badly configured) reverse proxies will connect to any domain, not just the domain they're supposed to be serving. They are trying to use your server to connect to and abuse another site.

Andrew Aylett
  • 599
  • 3
  • 14
  • So the entries being in the logs isn't a cause for concern - unless I'm acting as a proxy. – Johan Jun 10 '10 at 14:35
  • That's right. The chances of you being a public proxy without realising are quite slim, especially if you're serving your website directly from your server without any proxying at all. – Andrew Aylett Jun 11 '10 at 10:20
  • Stupid follow up question: Why would the return code be 200 when the Apache does not actually forward the request? – Frank Hopkins May 19 '19 at 14:56
  • And to answer my own question: It may happen that the apache is configured with a catch all, thus any domain not mapped will be served by that default page, which will result in a 200 response code (along with the content of whatever is configured as this default page. – Frank Hopkins May 19 '19 at 20:53
3

Anyone can connect to a webserver and request any url they wish from any host. It'll then turn up in your log. An example,

$ nc www.whateveryourdomainishere.com 80
GET / HTTP/1.1
host: www.asdfasdfasdfsdafsdf.com

Will get you an entry in your apache log for www.asdfasdfasdfsdafsdf.com

goo
  • 2,838
  • 18
  • 15
  • I didn't know that. I've just tried your example, and I get 82.69.x.x - - [10/Jun/2010:09:45:24 +0000] "GET / HTTP/1.1" 400 350 "-" "-" No mention of asdfxxxetc But if that's the how - what's the why? – Johan Jun 10 '10 at 09:59
  • Probably seeing if they can redirect a request from your site to hide their tracks, I'd guess. See if you can act as a proxy, or probing for an exploit. – Bart Silverstrim Jun 10 '10 at 12:13
  • You need to issue "GET http://www.example.com/ HTTP/1.1" as the request to initiate proxying, try that and you'll (probably) see it in the log. – Vatine Jun 10 '10 at 12:30