1

I've investigated my Lighttpd access log and found some strange things listed below. I do not know if it's good or bad, but bearshare? I was never or these sites I use my Centos only for website hosting. Could you help me understand these logs?

87.219.0.18 download.bearshare.com - [26/Sep/2009:12:41:37 +0200] "GET http://download.bearshare.com/BSInstall.exe HTTP/1.0" 404 345 "-" "Mozilla/3.0 (compatible)"
87.219.17.44 proxyworld.ifrance.com - [26/Sep/2009:20:13:53 +0200] "GET http://proxyworld.ifrance.com/azenv.php HTTP/1.1" 404 345 "http://proxyworld.ifrance.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
87.219.17.44 proxyworld.ifrance.com - [26/Sep/2009:20:44:12 +0200] "GET http://proxyworld.ifrance.com/azenv.php HTTP/1.1" 404 345 "http://proxyworld.ifrance.com/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
118.168.162.245 - - [27/Sep/2009:12:43:58 +0200] "CONNECT 220.132.13.98:25 HTTP/1.0" 501 357 "-" "-"
125.224.203.130 203.188.201.253:25 - [28/Sep/2009:00:28:09 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
69.46.23.47 174.34.157.98 - [28/Sep/2009:23:48:54 +0200] "GET http://174.34.157.98/proxychecker/check.cgi?action=getinfo HTTP/1.1" 404 345 "http://www.google.com/search?hl=ru&q=free+proxy+checker&sourceid=navclient-ff&ie=UTF-8" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
125.224.203.130 203.188.201.253:25 - [28/Sep/2009:23:58:14 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
124.133.252.204 www.yahoo.com - [29/Sep/2009:10:25:59 +0200] "GET http://www.yahoo.com/ HTTP/1.1" 200 1953 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
124.11.136.231 72.14.221.111:25 - [29/Sep/2009:14:59:51 +0200] "CONNECT 72.14.221.111:25 HTTP/1.1" 501 357 "-" "-"
125.224.197.97 203.188.201.253:25 - [01/Oct/2009:01:30:56 +0200] "CONNECT 203.188.201.253:25 HTTP/1.1" 501 357 "-" "-"
Improve this question

1 Answer 1

Reset to default
2

It would appear that someone is attempting to use your lighttpd server as a proxy server. This means that they connect to you and ask you to fetch a Web page or download a file on their behalf, and then transparently send it back to them. Common reasons for people to do this:

  • To work around corporate or government firewalls. For example, the host 87.219.0.18 might not be able to connect to bearshare.com, but they can connect to you, and you can connect to bearshare.com. If they can make your Web server proxy their connection, they can effectively still get to the site.
  • To obscure one's identity. As far as bearshare.com is concerned, you are the one connecting to them, not 87.219.0.18.

As it happens, you are blocking most of them, as indicated by the 404 and 501 HTTP codes. However, the connection from 124.133.252.204 to yahoo.com gave a 200 code, which indicates success. You should definitely check your lighttpd configuration and ensure that mod_proxy is restricted or disabled (unless you intended to offer free proxy services).

Improve this answer
2
  • The problems is that i do not have mod_proxy enabled
    – Tom Smykowski
    Oct 2, 2009 at 6:46
  • In that case, the entry for yahoo.com might simply be misleading. I just tried the same thing on one of my lighttpd servers, and although it gave me an "HTTP/1.1 200 OK" code (which indicates success), the file it actually returned was the index.html on my local server, which is what my index-file.names is set to. Given that, I think you are seeing people trying to proxy through your lighttpd server, but lighttpd is rejecting or ignoring their requests (which is what it should do). Nothing to worry about.
    – James Sneeringer
    Oct 2, 2009 at 13:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .