7

I came across the following entry in my access.log:

58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Normally when I see a full URL entry in my access.log I assume it is log spam with people trying to get me to access their site. These entries are normally followed with a 404 response.

The above entry is followed with a 200 'success' response! Doing some searching it would seem that this can occur when someone is trying to use your server as a proxy. This disturbed me more - especially because the URL in question has the word proxy in it.

Going to the site 'proxyproxys.com' (using hidemyass.com to protect my own identity), the site returns what appears to be some sort of 'proxy judge'

----------------------------------------
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5
HTTP_CONNECTION=close
REMOTE_PORT=56355

REMOTE_HOST=74.63.112.142
REMOTE_ADDR=74.63.112.142
----------------------------------------
CS_ProxyJudge Result=HIGH_ANONYMITY
----------------------------------------

Question: 1) does the 200 success mean that someone has been able to successfully use my server as a proxy? 2) are there other means of confirming if my server is being used as a proxy 3) can you refer me to documentation to help 'close up' my security gap if there is one.

Thanks.

So Over It
  • 173
  • 1
  • 4
  • 1
    possible duplicate of [Strange request in access.log, how to block?](http://serverfault.com/questions/303095/strange-request-in-access-log-how-to-block) – Shane Madden Jun 05 '12 at 15:59

3 Answers3

4

An easy way to test this is to set your browser to use your webserver as its proxy. Any domain that points there will do or the raw IP address. Choose port 80 if it asks for a port.

If you can still browse the web and you see your browsing showing up in your access logs then yes, you're running an open proxy.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • Interesting. I tried this in FireFox and then went to google. Access log shows `60.xxx.xxx.xxx - - [06/Jun/2012:10:25:25 +1000] "GET http://www.google.com/ HTTP/1.1" 200 163 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0"` The web page served was simply the default nginx web page of my servers IP address. This may explain the original access.log entry - ?someone just fishing for an open proxy?. Now, while I can't browse to other sites using my server as a proxy, should I be able to connect with my browser at all? (probably a noob question). – So Over It Jun 06 '12 at 00:31
3

This happened to me too, found something interesting in docs for apache

My server is properly configured not to proxy, so why is Apache returning a 200 (Success) status code?

That status code indicates that Apache successfully sent a response to the client, but not necessarily that the response was retrieved from the foreign website.

RFC2616 section 5.1.2 mandates that Apache must accept requests with absolute URLs in the request-URI, even for non-proxy requests. This means that even when proxying is turned off, Apache will accept requests that look like proxy requests. But instead of retrieving the content from the foreign site, Apache will serve the content at the corresponding location on your website. Since the hostname probably doesn't match a name for your site, Apache will look for the content on your default host.

In the above example, since www.yahoo.com is obviously not a valid virtual host on your system, Apache will serve the homepage content from your default (virtual) host. The size of the response (1456 in the above example) can be compared to the size of the corresponding page on your default site to confirm that the response was served locally and no proxying was involved.

Since this seems to be a behavior required by the standard, i assume nginx is doing something similar. In my case, since it is returning my home page I think it is "failing successfully" hence the 200 code.

rounin
  • 131
  • 3
1

A 200 success response to a request just means that your webserver believes it served up a valid response to the given request. The request log entry you see just means that someone made an HTTP connection to your server and requested the (relative) url http://proxyproxys.com/.

This could happen if someone mistyped a url: e.g. if I'm browsing http://www.google.com/ and suddenly want to go to http://www.facebook.com, it's possible for me to forget to clear the URL bar in my browser and end up navigating to http://www.google.com/http://www.facebook.com. Google would then see a GET request for http://www.facebook.com in their logs. Typically, you'd serve up a 404 error in these cases, but there may be quirks in your configuration that means that 200 gets returned instead, for whatever reason. The easiest thing to do would be to test this yourself, against your own server. Navigate to http://[your-domain]/http://proxyproxys.com and see what gets generated in the access log.

I'd wager it's difficult to get a typical webserver like nginx to behave like a generic internet proxy, unless you specifically configure a script or other application to behave like that. There's nothing in your question that leads me to believe this is what's happened, but it's worth keeping an eye out for suspicious scripts / processes / configuration changes. If you have reasonable evidence to suspect your server has been tampered with, take it offline, wipe it and restore from backup.

growse
  • 7,830
  • 11
  • 72
  • 114
  • 1
    Should be a leading slash on the request in that case, like `GET /http://proxyproxys.com/` – Shane Madden Jun 05 '12 at 15:56
  • Good point - now i'm wondering what'd get set in the `access.log` if you set the `Host` header field to something random... – growse Jun 05 '12 at 16:00
  • Just getting back to this. Had to have a sleep :) I typed in `http://[your-domain]/http://proxyproxys.com` and the server log recorded `60.xxx.xxx.xxx - - [06/Jun/2012:10:17:19 +1000] "GET /http://proxyproxys.com/ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5" 60.xxx.xxx.xxx - - [06/Jun/2012:10:17:20 +1000] "GET /http:/proxyproxys.com/ HTTP/1.1" 200 2481 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5"` Note the leading slash – So Over It Jun 06 '12 at 00:19