GET a page from another address?

Looking into /var/log/apache/access_log I found this entry:

66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
http://www.outwar.com/ HTTP/1.0" 200 7688

My URL or IP have nothing to do with outwar.com, how could my Apache
GET it and answer with a "200", since the page doesn't exist on my
server? Did it go get it and then served it to 66.48.247.147??
Do I have some big hole in my system, which is acting sort of like a
proxy?

Thanks!

Gasp!

Sorry!!!!

Gaspare wrote:
> Looking into /var/log/apache/access_log I found this entry:
>
> 66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
> http://www.outwar.com/ HTTP/1.0" 200 7688
>
> My URL or IP have nothing to do with outwar.com, how could my Apache
> GET it and answer with a "200", since the page doesn't exist on my
> server? Did it go get it and then served it to 66.48.247.147??
> Do I have some big hole in my system, which is acting sort of like a
> proxy?

The server seemed not to accept the messages, and then posted them
all together!!
http://news.aioe.org/webnews.php?zz=x&tipo=article.php&id=28 15&group=aioe.news.helpdesk#2815

Re: GET a page from another address?

"Gaspare" schreef in bericht news:fflh61$mqp$1@aioe.org...
> Looking into /var/log/apache/access_log I found this entry:
>
> 66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
> http://www.outwar.com/ HTTP/1.0" 200 7688
>
> My URL or IP have nothing to do with outwar.com, how could my Apache
> GET it and answer with a "200", since the page doesn't exist on my
> server?
Unless the server is setup to be a proxy the servername is ignored and a
local page is served.

> Did it go get it and then served it to 66.48.247.147??
> Do I have some big hole in my system, which is acting sort of like a
> proxy?
If the size of _your_ default page is not (about) 7688 your system is
compromised.

More likely someone was just poking to (ab)use your system as a proxy.

Just check the log for more instances of '"GET http'". If all have the same
size logged despite the variing site names, fair chance you're save


HansH

Re: GET a page from another address?

HansH wrote:

> If the size of _your_ default page is not (about) 7688 your
> system is compromised.

It's exactly 7688 bytes, just checked.


> More likely someone was just poking to (ab)use your system as a
> proxy.
>
> Just check the log for more instances of '"GET http'". If all
> have the same size logged despite the variing site names, fair
> chance you're save

Ok, that's the only instance of "GET http" so far.

Thanks a lot!

Re: GET a page from another address?

On Wed, 24 Oct 2007 07:43:07 +0200, Gaspare wrote:

> Looking into /var/log/apache/access_log I found this entry:
>
> 66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
> http://www.outwar.com/ HTTP/1.0" 200 7688
>
> My URL or IP have nothing to do with outwar.com, how could my Apache
> GET it and answer with a "200", since the page doesn't exist on my
> server? Did it go get it and then served it to 66.48.247.147??
> Do I have some big hole in my system, which is acting sort of like a
> proxy?

Most likely, you have a default set up, which is incorrectly not issuing a
404 when not found. The user probably got served the exact same thing you
would get when using the IP address of your server instead of a domainname.
--
Rik

Re: GET a page from another address?

Rik Wasmus wrote:
> On Wed, 24 Oct 2007 07:43:07 +0200, Gaspare wrote:
>
>> Looking into /var/log/apache/access_log I found this entry:
>>
>> 66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
>> http://www.outwar.com/ HTTP/1.0" 200 7688
>>
>> My URL or IP have nothing to do with outwar.com, how could my
>> Apache GET it and answer with a "200", since the page doesn't
>> exist on my server? Did it go get it and then served it to
>> 66.48.247.147?? Do I have some big hole in my system, which is
>> acting sort of like a proxy?
>
> Most likely, you have a default set up, which is incorrectly not
> issuing a 404 when not found. The user probably got served the
> exact same thing you would get when using the IP address of your
> server instead of a domainname.

Exactly!!!!!

Just added this line
ErrorDocument 404 "Sorry!
to my /etc/apache/httpd.conf file and gave the command
apachectl graceful

Now in case of weird GETs it doesn't serve my default page anymore,
but says "Sorry!".

Checking in /var/log/apache/access_log now I see a better entry:

192.168.1.3 - - [26/Oct/2007:18:27:40 +0200] "GET
/http://www.google.com HTTP/1.1" 404 18

Thanks a lot Rik!!!!

Re: GET a page from another address?

"Gaspare" schreef in bericht news:fft50i$7jh$1@aioe.org...
>>> Looking into /var/log/apache/access_log I found this entry:
>>>
>>> 66.45.247.147 - - [21/Oct/2007:23:56:46 +0200] "GET
>>> http://www.outwar.com/ HTTP/1.0" 200 7688
>>>
>> Most likely, you have a default set up, which is incorrectly not
>> issuing a 404 when not found. The user probably got served the
>> exact same thing you would get when using the IP address of your
>> server instead of a domainname.
>
> Just added this line
> ErrorDocument 404 "Sorry!
> to my /etc/apache/httpd.conf file and gave the command
> apachectl graceful
>
> Now in case of weird GETs it doesn't serve my default page anymore,
> but says "Sorry!".
>
> Checking in /var/log/apache/access_log now I see a better entry:
>
> 192.168.1.3 - - [26/Oct/2007:18:27:40 +0200] "GET
> /http://www.google.com HTTP/1.1" 404 18
>
That's NOT the same thing.

The leading / in this URL implies it is an _ordinary_ -not a proxiing-
request for an oddly named file 'www.google.com' in the folder 'http:' -an
odd, but valid, name too-. The server would haved croacked without the newly
added ErrorDocument too!

To have your browser drop the leading /, set it to use your server as a
proxy.

HansH

Re: GET a page from another address?

HansH wrote:

>> 192.168.1.3 - - [26/Oct/2007:18:27:40 +0200] "GET
>> /http://www.google.com HTTP/1.1" 404 18
>>
> That's NOT the same thing.
>
> The leading / in this URL implies it is an _ordinary_ -not a proxiing-
> request for an oddly named file 'www.google.com' in the folder 'http:' -an
> odd, but valid, name too-. The server would haved croacked without the newly
> added ErrorDocument too!
>
> To have your browser drop the leading /, set it to use your server as a
> proxy.

As far as I know (whih is not much) my apache is not acting as a
proxy. In fact the other, guy who successfully omitted the "/", got
in response my default page, as I reckoned by the number of bytes
served.
I'd like to know how can I make such a request?
All I did was write in my address bar
http://myurl/http://www.google.com, which produced the above log line.
How can I make a correct GET go through? Can it be done with a
browser, or a more sophisticated operation is involved?

Thanks

Re: GET a page from another address?

Gaspare wrote:

> How can I make a correct GET go through? Can it be done with a
> browser, or a more sophisticated operation is involved?

Ehm, sorry, brain got disconnected for a while. I inserted my
apache's URL in the proxy address of the browser! :-))

Re: GET a page from another address?

On Sat, 27 Oct 2007 19:52:43 +0200, Gaspare wrote:

> HansH wrote:
>
>>> 192.168.1.3 - - [26/Oct/2007:18:27:40 +0200] "GET
>>> /http://www.google.com HTTP/1.1" 404 18
>>>
>> That's NOT the same thing.
>>
>> The leading / in this URL implies it is an _ordinary_ -not a proxiing-
>> request for an oddly named file 'www.google.com' in the folder 'http:'
>> -an
>> odd, but valid, name too-. The server would haved croacked without the
>> newly
>> added ErrorDocument too!
>>
>> To have your browser drop the leading /, set it to use your server as a
>> proxy.
>
> As far as I know (whih is not much) my apache is not acting as a
> proxy. In fact the other, guy who successfully omitted the "/", got
> in response my default page, as I reckoned by the number of bytes
> served.
> I'd like to know how can I make such a request?
> All I did was write in my address bar
> http://myurl/http://www.google.com, which produced the above log line.
> How can I make a correct GET go through? Can it be done with a
> browser, or a more sophisticated operation is involved?

Normally I use a quick telnet for this in Windows, don't know what would
be the easiest Linux variant.

(12.34.56.78 is the ip adres of the server...):

telnet 12.34.56.78 80
GET / HTTP/1.1
Host: www.bogusdomain.com

(after the host-line you need 2 newlines).

Another way would be to temporarily add a bogus domain pointing to the ip
adres in your hosts file. (Again, in Windows, that would be in something
like \System32\Drivers\Etc\hosts), in which case it would
work for all 'normal' programs including browsers.
--
Rik

Re: GET a page from another address?

"Rik Wasmus" schreef in bericht
news:op.t0vne4ke3yk0ne@metallium.lan...
> Normally I use a quick telnet for this in Windows,
.... missing on Vista Home ...

> (12.34.56.78 is the ip adres of the server...):
>
> telnet 12.34.56.78 80
> GET / HTTP/1.1
> Host: www.bogusdomain.com
>
Again, that's NOT a proxied request!

Try instead
telnet localhost 80
GET http://www.bogusdomain.com HTTP/1.1
Host: localhost

But only the log will tell the difference.

HansH