Hi all,

I was parsing my apache log and notice these entries that look suspicous.

Line #11614 : 219.134.178.199 - - [22/Jun/2005:11:12:44 -0500] "CONNECT 216.109.118.68:80 HTTP/1.1" 200 3386
Line #11615 : 219.134.178.199 - - [22/Jun/2005:11:12:46 -0500] "GET / HTTP/1.1" 200 3386
Line #11616 : 219.134.178.199 - - [22/Jun/2005:11:12:47 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3565
Line #18663 : 219.140.162.197 - - [28/Jun/2005:11:17:54 -0500] "GET http://cn.yahoo.com/ HTTP/1.1" 200 4436

If this some sort of hack, how do I prevent them from happening again? I did a whois and those IP addresses are from China.

Thanks

It appears they were trying to use your system as a proxy. Are you running apache on port 8080 by any chance?

Matir,

No, apache is on port 80 and my router is set to forward port 80 only. Is this also called http tunneling? I've read some on sites that this can be done somehow.

Besides blocking every IP address that does this, is there another solution to prevent this sort of attack?

Thanks,
Matikas

I don't really consider this a serious attack, especially since I doubt they are getting anywhere.

Matir,

Alright, I'll consider these as failed attempts and ignore them like all those window hack attempts that I see.

Thanks for the help.

Matikas

No problem. Those 'attacks' are just hunting for open proxies... and you're not running a proxy, so it should be no big deal.

I was getting slammed through port 80 thanks to mandy's default httpd.conf

http://www.linuxquestions.org/questi...ght=open+proxy

I also commented this in httpd.conf

<IfDefine APACHEPROXIED>
# Listen 8080
</IfDefine>
<IfDefine !APACHEPROXIED>
# Listen 80
</IfDefine>