I've noticed a couple of entries in my apache access.log that make me suspicious .
This is my log format:
LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{forensic-id}n\"" combined
Here are some snippits from the log,
218.150.163.30 - - [10/Oct/2004:16:57:01 -0400] "GET http://umsky.com/sproxy.php HTTP/1.0" 404 270 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"
68.33.241.67 - - [10/Oct/2004:18:09:55 -0400] "-" 414 337 "-" "-" "-"
68.33.241.67 - - [10/Oct/2004:19:50:01 -0400] "-" 414 337 "-" "-" "-"
68.51.99.132 - - [10/Oct/2004:20:27:15 -0400] "-" 414 337 "-" "-" "-"
218.66.37.66 - - [10/Oct/2004:23:30:41 -0400] "GET http://www.xlrwb.com/ HTTP/1.1" 200 2967 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" "-"
208.40.36.216 - - [11/Oct/2004:00:56:54 -0400] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 295 "-" "-" "-"
60.25.111.88 - - [16/Oct/2004:08:03:43 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" "-"
68.206.181.112 - - [16/Oct/2004:08:12:52 -0400] "-" 414 337 "-" "-" "-"
200.73.65.5 - - [16/Oct/2004:08:33:00 -0400] "GET http://www.yahoo.com/ HTTP/1.0" 200 2967 "-" "Mozilla/4.0 [en] (Windows NT 5.0; I)" "-"
167.21.1.228 - - [16/Oct/2004:14:24:17 -0400] "GET / HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible
" "-"
The ones that makes me curious are the "GET http://www.yahoo.com/ HTTP/1.0" and the "GET http://www.xlrwb.com/ HTTP/1.1" because they returned a status code of 200. Also the "OPTIONS /HTTP/1.1" returning a status of 200 doesn't seem right either, shouldn't they give something like a 404.
I should also note that the 2967 bytes is the size of my index page, and what is displayed in the log when someone requests it.
Would really appreciate if someone could shed some light on this.