Monday, June 29, 2015

logging - Apache logs full URL rather than URI



My Apache web server logged following messages to access.log:




46.22.173.131 - - [23/Dec/2014:15:34:54 +0100] "GET http://pl.wikipedia.org/wiki/Special:Search?search=&go=Go HTTP/1.1" 302 482 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
182.254.156.77 - - [23/Dec/2014:16:53:22 +0100] "GET http://www.ly.com/ HTTP/1.1" 302 433 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"`
182.254.208.62 - - [23/Dec/2014:17:57:49 +0100] "GET http://www.ly.com/ HTTP/1.1" 302 433 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"


I have two Virtualhosts defined - one for port 80 which just redirects to 443 ... and the Virtualhost for port 443 which logs into ssl_access.log.



I do not understand what these logs mean? Was someone trying to get to these URLs through my web server?



Please help me understand those logs.




Merry Christmas everyone!


Answer



http://wiki.apache.org/httpd/ProxyAbuse:




Why do I see requests for foreign sites appearing in my log files?



An access_log entry showing this situation could look like this:




63.251.56.142 - - [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/ HTTP/1.0" 200 1456
For this log line, the 200
code (second to last field in this example) indicates that the request
was successful – but see below for an explanation of what “success”
means in this situation.



This is usually the result of malicious clients trying to exploit open
proxy servers to access a website without revealing their true
location. They could be doing this to manipulate pay-per-click ad
systems, to add comment or link-spam to someone else's site, or just
to do something nasty without being detected.




It is important to prevent your server from being used as an open
proxy to abuse other sites.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...