I have many strange requests in my httpd access_log, does it mean I have a virus?

Question

I have httpd log information as such which goes on and on forever. Firstly, does this mean I have a virus? is my server part of a botnet? My server is Linux Centos 5.

tail -f /var/log/httpd/access_log

Also how can I block this attack?

How can I make sure my server is not sending out requests?

What other security measures can I add?

69.164.209.127 - - [14/Jun/2012:18:49:05 +0800] "GET http://69.164.209.127/82d8e94797c2079b53bb3d36157a699f HTTP/1.1" 404 309 "-" "Avant Browser - MSIE 7 (Win XP)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
176.227.198.140 - - [14/Jun/2012:18:49:05 +0800] "GET http://www.google.com/search?as_q=monochrom+inurl:%3Fp%3D%2A%26option%3Dcom%5Fwordpress%26Itemid%3D%2A&num=100&hl=en&output=ie&filter=0 HTTP/1.0" 404 283 "http://www.google.com/search?as_q=monochrom+inurl:%3Fp%3D%2A%26option%3Dcom%5Fwordpress%26Itemid%3D%2A&num=100&hl=en&output=ie&filter=0" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
173.236.110.243 - - [14/Jun/2012:18:49:06 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
95.250.43.84 - - [14/Jun/2012:18:49:06 +0800] "POST http://www.alldebrid.com/api.php?action=info_user&login=zcnhaa&pw=123456789 HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
176.227.198.140 - - [14/Jun/2012:18:49:06 +0800] "GET http://www.google.com/search?as_q=monopsonic+%22Write+a+Comment%22+Website&num=100&hl=en&output=ie&filter=0 HTTP/1.0" 404 283 "http://www.google.com/search?as_q=monopsonic+%22Write+a+Comment%22+Website&num=100&hl=en&output=ie&filter=0" "Mozilla/4.79 [en] (Windows NT 5.0; U)"
173.236.110.243 - - [14/Jun/2012:18:49:06 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
46.4.25.139 - - [14/Jun/2012:18:49:07 +0800] "GET http://www.ebay.it/itm/-/280882450672 HTTP/1.0" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022; .NET CLR 3.5.30729; MS-RTC LM 8; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET CLR 3.0.30729)"
173.236.110.243 - - [14/Jun/2012:18:49:07 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
216.58.17.248 - - [14/Jun/2012:18:49:07 +0800] "GET http://images.google.com/ HTTP/1.1" 200 9452 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
173.236.110.244 - - [14/Jun/2012:18:49:07 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
173.236.110.244 - - [14/Jun/2012:18:49:07 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
173.236.110.244 - - [14/Jun/2012:18:49:09 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"
173.236.110.244 - - [14/Jun/2012:18:49:09 +0800] "CONNECT evisaforms.state.gov:443 HTTP/1.1" 200 9452 "-" "-"

See [Could this server log mean my server is being used as a proxy?](http://serverfault.com/questions/395775/could-this-server-log-mean-my-server-is-being-used-as-a-proxy) or [Strange request in access.log, how to block?](http://serverfault.com/questions/303095/strange-request-in-access-log-how-to-block) — Shane Madden, Jun 14 '12 at 03:18

BillThor · Answer 1 · 2012-06-14T03:58:01.267

I have httpd log information as such which goes on and on forever. Firstly, does this mean I have a virus? is my server part of a botnet?

It doesn't appear you have a virus, nor is it likely you are part of a botnet. Neither of these cases would want to announce their presence by getting their activity logged.

Also how can I block this attack?

This is not an attack. You appear to be running an open proxy server. If you don't need a proxy server running, disable proxy access in your Apache configuration.

How can I make sure my server is not sending out requests?

Your server is sending out the requests. Block proxy access by adding an ACL to proxy requests in your Apache configuration. Something like this should allow proxy access from the localhost and a private network block. Adjust the last allow line according to your needs.

<Proxy *>
    Order deny,allow
    Deny  from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
    Allow from 192.168.2.0/24
</Proxy>

What other security measures can I add?

If you don't need to provide web service to Internet hosts, add an ACL to your Apache server similar to the above. Consider blocking incoming web requests with iptables as well.

If you do need a proxy, consider using a dedicated proxy like squid with appropriate access controls. You could also create a separate virtual host on a different port for proxy purposes. This should have appropriate access controls.

I have many strange requests in my httpd access_log, does it mean I have a virus?

1 Answers1