I came across the following entry in my access.log:
58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Normally when I see a full URL entry in my access.log I assume it is log spam with people trying to get me to access their site. These entries are normally followed with a 404 response.
The above entry is followed with a 200 'success' response! Doing some searching it would seem that this can occur when someone is trying to use your server as a proxy. This disturbed me more - especially because the URL in question has the word proxy in it.
Going to the site 'proxyproxys.com' (using hidemyass.com to protect my own identity), the site returns what appears to be some sort of 'proxy judge'
----------------------------------------
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.53 Safari/536.5
HTTP_CONNECTION=close
REMOTE_PORT=56355
REMOTE_HOST=74.63.112.142
REMOTE_ADDR=74.63.112.142
----------------------------------------
CS_ProxyJudge Result=HIGH_ANONYMITY
----------------------------------------
Question:
1) does the 200 success mean that someone has been able to successfully use my server as a proxy?
2) are there other means of confirming if my server is being used as a proxy
3) can you refer me to documentation to help 'close up' my security gap if there is one.
Thanks.
