LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-28-2004, 12:16 AM   #1
hsegtreas
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 47

Rep: Reputation: 15
200 for www.yahoo.com?


I run an apache server. I just found something a bit strange in the logs:

Code:
[27/Jul/2004:07:23:10 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 200 65464
Why does the server gives a 200 for yahoo?? I didn't set any proxy options..!
If i try to send the same string via telnet, here's what i get:

Code:
[27/Jul/2004:23:49:58 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 400 307
Now, 65464 is exactly the size of my web page. So does that means that index.html was sent? Or was it really redirected to yahoo.com?

Or again, could it be that the log file was edited?

I've only been running a server for 3 months, so i'm far from being an expert on the subject.. But i'm curious to know what someone more experienced thinks about those logs?

Thanks!
 
Old 07-28-2004, 12:38 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
This is a weird behaviour of Apache that isn't well documented and took me a while to figure out as well. If a request is made to apache with a URL that isn't even on the server, then the default index.html page is served up instead and a 200 code is returned. It has to be something drastically different like www.yahoo.com instead of www.mywebsite to get that result. Simply miss-typing a URL will still get a 404. First time I saw it, I thought I was proxying traffic, but the page size is the tip-off.

It's still annoying though, because poorly written proxy-detecting bots will mistakenly think that you are an open proxy. So you'll commonly see a single requests for www.yahoo.com or www.sina.com . Then several days later you'll see an actual live attempt by someone to use you as a proxy and give up after getting your homepage a couple of times.
 
Old 07-28-2004, 12:45 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Trying to replicate it was almost as frustrating as figuring out what was going on. Using telnet doesn't seem to work. I found the best way to do it was to modify your web browsers configuration and set it to use your web server as its http proxy. Then just type in "www.yahoo.com" and you'll get your homepage instead. Also the log message will show a 200 instead of a 400.
 
Old 07-28-2004, 02:30 AM   #4
hsegtreas
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 47

Original Poster
Rep: Reputation: 15
You're right i tried to set the proxy to my web server and typed http://www.yahoo.com/. The logs says that the page was sent, and even the pictures of the pages came from www.yahoo.com/pictures/...
lol I could never found out that one myself

I Looked quickly at what strings are really sent to the server with ethereal. The requests, with and without proxy settings are actually different...(no surprise..)
So it's just seems strange because apache doesn't log the full http request...

Thanks for the help!


Edit: If anyone is interested:

Request without proxy settings (standard request on a web server):
Code:
GET / HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.79 [en] (Windows NT 5.0; U)
Host: [my-web-server-was-here]
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

Request with proxy set on my server (the one that gives a strange log entry):
Code:
GET http://www.yahoo.com/ HTTP/1.0
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.79 [en] (Windows NT 5.0; U)
Host: www.yahoo.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
So it probably has something to do with the "Host" field.

Last edited by hsegtreas; 07-28-2004 at 02:48 AM.
 
Old 07-28-2004, 08:31 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Cool. Your thread had made me curious about how the http requests might be different. Thanks for posting that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any idea why this time I can not ping my LAN pc but can PING for ex. www.yahoo.com vakia Debian 5 09-28-2005 07:42 PM
difference between www.google.com/linux and www.google.com dr_zayus69 General 4 01-12-2005 03:45 PM
lose 200$ or sace 200! HELP HELP HELP! OMEGA-DOOM Linux - Software 8 10-23-2004 08:47 PM
can't resolve www.yahoo.com w7hd Linux - Networking 2 08-06-2004 12:49 PM
Just bought www.helpwithlinux.net and www.helpwithwindows.com Whitehat General 15 05-08-2003 01:31 PM


All times are GMT -5. The time now is 02:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration