What's going on here (weird Apache requests)?

[Anakrino]

Hello everyone,

I've got a server that is getting tons of strange (to me, anyway) http requests. The Apache access_log is filling up with lines like:

211.196.150.99 - - [18/Aug/2005:08:17:27 -0500] "GET http://banners.webmasterplan.com/vie...ref=251405&b=9 HTTP/1.0" 404 299 "http://studserv.de" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"

Tons of them from hundreds of different IPs. Correct me if I'm wrong but isn't this a request for a page on the banners.webmasterplan.com server (which is not my server)? I'm not exactly sure what is going on (DOS maybe?) but any help and direction in fixing and/or stopping this would be appreciated.

Thanks,
Jacob

[bubudiu]

Someone is trying to use your server as a proxy to attack another server. The response code error 404 means they are unsuccessful.

[Anakrino]

Quote:

Originally Posted by bubudiu

Someone is trying to use your server as a proxy to attack another server. The response code error 404 means they are unsuccessful.

I thought the 404 was the error returned by MY Apache server because that document isn't on my server? Is Apache actually attempting to forward these requests on to the appropriate destination? If so, is there some way I can block them (if they aren't already being blocked) without completely disabling http access? My server should not be acting as a proxy for anyone.

Also, I should have mentioned in the original post that not all the requests are for pages on banners.webmasterplan.com--that was just the one I happened to copy/paste. The pages that are being requesting (and generating all the errors) are on tons of different servers, none of which have anything to do with my server.

Sorry my questions may be a little unintelligent my networking skills are a little rusty.

Thanks for the help,
Jacob

[JohnVV]

it dose look as if someone is trying to bounce off you
in your post is this ip the same for all or most " 211.196.150.99 "
if so then a change in httpd will be neaded to block the ip


httpd file.............................................. ....
.................................................. ...............
/your-root-dir/public_html/
......
....
order deny allow
alow from all
deny from 211.196.150.99
....
....
<dir.../>


.................................................. ..............
this should block this ip

[Anakrino]

Quote:

Originally Posted by JohnVV

in your post is this ip the same for all or most " 211.196.150.99 "

No, unfortunately there are literally hundreds of different IPs that the requests are coming from.

Thanks,
Jacob

[Twey]

My first assumption would be that you've made an error somewhere, and are treating that URL as a local file rather than a remote one.
My second would be that someone was attempting to use your site for some sort of phishing/spamming activity.
My third would be that there is a browser bug somewhere. Are they all running MSIE?

I don't believe that it's a DDoS. It would be more efficient to send a constant stream of data rather than a series of requests.

[Anakrino]

Quote:

Originally Posted by Twey

My first assumption would be that you've made an error somewhere, and are treating that URL as a local file rather than a remote one.

I've made an error in what? The Apache configuration? I haven't touched the configuration of Apache--it is the default Fedora Core 2 config. And, even if I had made an error (entirely possible) I don't understand WHY the server is receiving these requests. The server is not a proxy server or gateway of any kind. All of the requests are from IPs outside our local network flowing in to this server. It doesn't make any sense to me.

Quote:

Originally Posted by Twey

My third would be that there is a browser bug somewhere. Are they all running MSIE?

No... it looks like most of them are identified as Mozilla 4.0 and Mozilla 5.0. But, I don't see how a browser bug could cause these requests to be sent to my server?

Thanks!
Jacob

[JohnVV]

it may be in the config
you might want to post the htppd file --BUT FIRST REPLACE ALL PATHS WITH" ????"

example /home/dave/www/puplic_html would be /home/???/???/???
you do not nead to give out sensitive info
i have been hosting a apache/mysql/php5/geeklog site for over 2 years

i am curently off line johnscelestiapage.no-ip.com