Logwatch: connection attempts using mod_proxy

apache-2.2logginglogwatchmod-proxy

Today I noticed this entry in my log file:

Connection attempts using mod_proxy:
175.180.113.83 -> 66.135.210.61:80: 1 Time(s)

This is something I do not normally see in my logs. I have a few questions about this:

  1. What does this actually mean? Does this mean that someone tried to access my server through a proxied connection?
  2. What is the first IP address? Is this the originating IP?
  3. What is the second IP address? Is this the server they used as a proxy?
  4. If what I said for 2 and 3 are correct, how is it that Logwatch (or whatever in Linux is resolving this) can detect the originating IP? I thought that a proxy is supposed to help with anonymity and make it so that the originating IP address is completely masked?
  5. What does this mean? Are these requests usually from bots that are looking for additional security holes? What's the hole point of going through a proxy to access my server?

EDIT: It looks like 66.135.210.61 belongs to eBay and the other IP belongs to someone in Taiwan. Does this mean someone accessed my server through eBay? Shouldn't eBay's security be good enough to prevent things like that?

Thanks

Best Answer

It actually means the opposite to what you suggested: the person in Taiwan accessed (or attempted to access) eBay via your server. It means that someone was using your machine as an open proxy. Most likely they were probing to see if you had an open proxy configured. The fact that the message says "attempted" would suggest that they didn't succeed, but a bit of Googling suggests that it may mean they actually got through. What you want to do is make sure you're not running mod_proxy and you disable the CONNECT verb if you don't need them.

An article I found that might be of use is http://www.davekb.com/browse_computer_tips:logwatch_connection_attempts_using_mod_proxy:txt

Related Topic