3

While studying for the RHSCA exam I set up my first home server and quickly found that bots had already started requesting commonly vulnerable files. It was alarming at first, then just purely amusing once I found out how harmless and ineffective these particular attempts were.

Now I am seeing some odd requests in my apache access_log that I just don't understand and was hoping someone could help clarify for me.

I don't understand why the bot would request another server from within my server's path. It's my understanding that the bot is requesting the following resource in the log shown below: http://MY.IP.ADD.RESS/http://61.152.144.145/judge.php

58.218.199.250 - - [15/Sep/2012:06:47:38 -0500] "GET http://61.152.144.145/judge.php HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

That just doesn't even make any sense. I am getting quite a few of these nonsensical requests and I was wondering if requesting another server from someone else's server might in someway prove useful for an intruder or if this is just a script kiddie that has no idea what they're doing.

Some more examples of this in my access log.

58.218.199.250 - - [14/Sep/2012:05:28:48 -0500] "GET http://59.53.91.9/proxy/judge.php HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
59.53.91.9 - - [14/Sep/2012:08:26:55 -0500] "GET http://59.53.91.9/proxyheader.php HTTP/1.0" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:08:26:57 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 200 101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:13:11:58 -0500] "GET http://59.53.91.9/proxyheader.php HTTP/1.0" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:13:11:59 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 200 101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
58.218.199.227 - - [14/Sep/2012:15:34:53 -0500] "GET http://59.53.91.9/httpproxy/proxyheader.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I am thinking that maybe these bots are requesting these files to encourage host administrators to actually visit these addresses due to their curiosity with the goal of gathering data, or something. I am thinking this mainly because I visited one and it did a whois lookup on me and displayed that information on the page. I only tried one so I don't know if that is a common pattern.

In short, why are these bots requesting other websites from the file structure of my website? I'm using CentOS.

Improve this question

1 Answer 1

Reset to default
6

Those requests are exactly what a web browser sends to a web proxy, so the remote clients are likely probing for open web proxies.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.