F19: Is this an httpd attack attempt?

[Dan Thurman]

On 03/03/2014 10:47 PM, Tim wrote:
> Allegedly, on or about 03 March 2014, Dan Thurman sent:
>> It looks to me like a successful indirect connection?
>>
>> The following is taken from /var/log/httpd/access_log
>>
>> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"
> With a "GET" request that has a full URI rather than just a filepath to
> something within your own website, that looks like they're trying to use
> you as a proxy for whatever their nefarious aims are (which Apache *can*
> do, but doesn't have to).  The "200" response means "okay," so it
> apparently succeeded with 5264 bytes being sent.  Try the same sort of
> hack, yourself, on your own server, to see what it does.  Though try
> getting some other website, not the one that's playing games with you.
>
> Since it's to a non-website, they may be pooling data of what fails and
> succeeds, so they can make use of it later.  Which could be anything
> from doing a hack on you, using you as a sacrificial proxy for illegal
> activities, using you as a proxy to bypass state censorship, one of the
> white hat hackers researching statistics on unsafe webservers, or
> anything else that you can think of.
>
> Because you don't know their motives, I'd consider them as being bad,
> and worth doing something about.  Unless you are purposely using the
> proxy features of Apache, disable them.  If you are making use of them,
> then tighten up the configuration to only do what you want.
>
I found out that mod_proxy was installed on apache,
so I disabled mod_proxy and have yet to see any
proxy attempts