Home / server / Questions / 70601
Accepted
Tom Smykowski
Asked: 2009-10-02 16:10:57 +0800 CST

Strange Centos 5 Lighttpd access log

  • 772

I've investigated my Lighttpd access log and found some strange things listed below. I do not know if it's good or bad, but bearshare? I was never or these sites I use my Centos only for website hosting. Could you help me understand these logs?

87.219.0.18 download.bearshare.com - [26/Sep/2009:12:41:37 +0200] "GET http://download.bearshare.com/BSInstall.exe HTTP/1.0" 404 345 "-" "Mozilla/3.0 (compatible)"
87.219.17.44 proxyworld.ifrance.com - [26/Sep/2009:20:13:53 +0200] "GET http://proxyworld.ifrance.com/azenv.php HTTP/1.1" 404 345 "http://proxyworld.ifrance.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
87.219.17.44 proxyworld.ifrance.com - [26/Sep/2009:20:44:12 +0200] "GET http://proxyworld.ifrance.com/azenv.php HTTP/1.1" 404 345 "http://proxyworld.ifrance.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
118.168.162.245 - - [27/Sep/2009:12:43:58 +0200] "CONNECT 220.132.13.98:25 HTTP/1.0" 501 357 "-" "-"
125.224.203.130 203.188.201.253:25 - [28/Sep/2009:00:28:09 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
69.46.23.47 174.34.157.98 - [28/Sep/2009:23:48:54 +0200] "GET http://174.34.157.98/proxychecker/check.cgi?action=getinfo HTTP/1.1" 404 345 "http://www.google.com/search?hl=ru&q=free+proxy+checker&sourceid=navclient-ff&ie=UTF-8" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
125.224.203.130 203.188.201.253:25 - [28/Sep/2009:23:58:14 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
124.133.252.204 www.yahoo.com - [29/Sep/2009:10:25:59 +0200] "GET http://www.yahoo.com/ HTTP/1.1" 200 1953 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
124.11.136.231 72.14.221.111:25 - [29/Sep/2009:14:59:51 +0200] "CONNECT 72.14.221.111:25 HTTP/1.1" 501 357 "-" "-"
125.224.197.97 203.188.201.253:25 - [01/Oct/2009:01:30:56 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
security

1 Answers

  1. Best Answer

    It would appear that someone is attempting to use your lighttpd server as a proxy server. This means that they connect to you and ask you to fetch a Web page or download a file on their behalf, and then transparently send it back to them. Common reasons for people to do this:

    • To work around corporate or government firewalls. For example, the host 87.219.0.18 might not be able to connect to bearshare.com, but they can connect to you, and you can connect to bearshare.com. If they can make your Web server proxy their connection, they can effectively still get to the site.
    • To obscure one's identity. As far as bearshare.com is concerned, you are the one connecting to them, not 87.219.0.18.

    As it happens, you are blocking most of them, as indicated by the 404 and 501 HTTP codes. However, the connection from 124.133.252.204 to yahoo.com gave a 200 code, which indicates success. You should definitely check your lighttpd configuration and ensure that mod_proxy is restricted or disabled (unless you intended to offer free proxy services).

    • 2