Thank you, your diagnosis was spot on so although they are trying the
server is just dishing up the index page. Just as a bit of extra info
I'm using <LimitExcept> to control methods.
Many thanks for the help from all.
On Tue, 2005-10-25 at 09:53 -0500, S.A.B.R.O. Net Security wrote:
It appears someone is indeed attemping to use your server as an open
proxy via the HTTP GET tunnel trick.
This is also common with POST, CONNECT, etc....scan your logs for these
types of attempts as well.
What's interesting is even though they received a status code of 200
(Success) in your examples, the two different sites they
attempted to access both returned 1302 bytes....maybe this is your
server feeding them your index.html and not the external site's page?
Try using the following :
telnet <your server> 80
then type CONNECT some.site.com:80 HTTP/1.0<enter><enter>
If it returns anything other then your index.html or an error status try
checking out the following :
Check out the Limit option in httpd.conf:
<Limit GET POST>
.
.
.
</Limit>
The above, when placed within a <directory /path/to/directory>....
</directory> section, will only allow GET and POST requests to that
directory and it's sub-directories. Anything else will give the 405(Method
Not Allowed) response that you see for the CONNECT request.
(Portions snagged from other sources.....kudos to the original authors).
--
Tony Barry
No Bull Services
PO Box 51528
Pakuranga
Auckland
021 413642
09 5768552
http://www.NO-BULL.CO.NZ
*************************************************************************
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the addressee/s.
If you have received this e-mail in error please notify the sender.
*************************************************************************
