Could this server log mean my server is being used as a proxy?
Posted
by
So Over It
on Server Fault
See other posts from Server Fault
or by So Over It
Published on 2012-06-05T15:39:07Z
Indexed on
2012/06/05
16:42 UTC
Read the original article
Hit count: 520
I came across the following entry in my access.log:
58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Normally when I see a full URL entry in my access.log I assume it is log spam with people trying to get me to access their site. These entries are normally followed with a 404 response.
The above entry is followed with a 200 'success' response! Doing some searching it would seem that this can occur when someone is trying to use your server as a proxy. This disturbed me more - especially because the URL in question has the word proxy in it.
Going to the site 'proxyproxys.com' (using hidemyass.com to protect my own identity), the site returns what appears to be some sort of 'proxy judge'
----------------------------------------
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5
HTTP_CONNECTION=close
REMOTE_PORT=56355
REMOTE_HOST=74.63.112.142
REMOTE_ADDR=74.63.112.142
----------------------------------------
CS_ProxyJudge Result=HIGH_ANONYMITY
----------------------------------------
Question: 1) does the 200 success mean that someone has been able to successfully use my server as a proxy? 2) are there other means of confirming if my server is being used as a proxy 3) can you refer me to documentation to help 'close up' my security gap if there is one.
Thanks.
© Server Fault or respective owner