On Mon, Nov 05, 2007 at 01:07:13PM -0700, Ashley M. Kirchner wrote:
I noticed these entries in my apache log today:
60.250.66.175 - - [01/Nov/2007:04:41:01 -0600] "CONNECT
218.32.192.11:25 HTTP/1.0" 200 12439 "-" "-"
60.250.66.175 - - [01/Nov/2007:04:41:04 -0600] "CONNECT
61.31.198.50:25 HTTP/1.0" 200 12439 "-" "-"
60.250.66.175 - - [01/Nov/2007:04:43:28 -0600] "CONNECT
60.249.125.71:25 HTTP/1.0" 200 12439 "-" "-"
159.148.97.91 - - [02/Nov/2007:22:01:40 -0600] "CONNECT
195.175.37.70:8080 HTTP/1.0" 200 14301 "-" "-"
159.148.97.91 - - [02/Nov/2007:22:01:41 -0600] "CONNECT
159.148.96.222:80 HTTP/1.0" 200 14301 "-" "-"
And while the first two are specifically targeting port 25, the
other two aren't But more importantly, how is this being done, and how
do I stop it? Did I forgot to disable something within Apache somewhere?
You'll get a 200 response sent from such CONNECT requests if you have
(e.g.) a PHP page handling the / page for your server. That does not
mean the server is allowing port forwarding!
By default, httpd will not allow CONNECT requests to remote servers. If
ProxyRequests is enabled, it will allow CONNECT requests to ports 443
and 563 only. (ProxyRequests should not be enabled unless the server is
acting as a proxy server, of course!)
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect
joe