Skip to main content
Unix & Linux

Return to Revisions

2 of 2
deleted 6 characters in body; edited tags
Jeff Schaller
Jeff Schaller
  • 68.8k
  • 35
  • 122
  • 265

Bot requesting odd resource in apache logs

While studying for the RHSCA exam I set up my first home server and quickly found that bots had already started requesting commonly vulnerable files. It was alarming at first, then just purely amusing once I found out how harmless and ineffective these particular attempts were.

Now I am seeing some odd requests in my apache access_log that I just don't understand and was hoping someone could help clarify for me.

I don't understand why the bot would request another server from within my server's path. It's my understanding that the bot is requesting the following resource in the log shown below: http://MY.IP.ADD.RESS/http://61.152.144.145/judge.php

58.218.199.250 - - [15/Sep/2012:06:47:38 -0500] "GET http://61.152.144.145/judge.php HTTP/1.1" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

That just doesn't even make any sense. I am getting quite a few of these nonsensical requests and I was wondering if requesting another server from someone else's server might in someway prove useful for an intruder or if this is just a script kiddie that has no idea what they're doing.

Some more examples of this in my access log.

58.218.199.250 - - [14/Sep/2012:05:28:48 -0500] "GET http://59.53.91.9/proxy/judge.php HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
59.53.91.9 - - [14/Sep/2012:08:26:55 -0500] "GET http://59.53.91.9/proxyheader.php HTTP/1.0" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:08:26:57 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 200 101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:13:11:58 -0500] "GET http://59.53.91.9/proxyheader.php HTTP/1.0" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.53.91.9 - - [14/Sep/2012:13:11:59 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 200 101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
58.218.199.227 - - [14/Sep/2012:15:34:53 -0500] "GET http://59.53.91.9/httpproxy/proxyheader.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I am thinking that maybe these bots are requesting these files to encourage host administrators to actually visit these addresses due to their curiosity with the goal of gathering data, or something. I am thinking this mainly because I visited one and it did a whois lookup on me and displayed that information on the page. I only tried one so I don't know if that is a common pattern.

In short, why are these bots requesting other websites from the file structure of my website? I'm using CentOS.

Austin
  • 75
  • 5