Apache2 config help and advice

Good day all,
I have an Apache2 web server running on OpenSuSE 12.3. Everything seems to be working well, except when I check the apache2/access_log I find lots of entries like the following:

94.23.45.14 - - [23/Sep/2013:03:23:00 -0500] "HEAD / HTTP/1.0" 200 - "-" "-"
111.248.56.25 - - [23/Sep/2013:03:27:21 -0500] "GET http://www.google.co.jp HTTP/1.1" 200 8912 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
111.248.56.25 - - [23/Sep/2013:03:27:23 -0500] "CONNECT mta6.am0.yahoodns.net:25 HTTP/1.0" 200 8896 "-" "-"
111.241.46.197 - - [23/Sep/2013:04:34:28 -0500] "GET http://www.google.com.tw HTTP/1.1" 200 8490 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
111.241.46.197 - - [23/Sep/2013:04:34:29 -0500] "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0" 200 8896 "-" "-"
192.187.96.94 - - [23/Sep/2013:08:57:27 -0500] "CONNECT 80.79.119.248:80 HTTP/1.1" 200 8489 "-" "-"
192.187.96.94 - - [23/Sep/2013:08:57:27 -0500] "GET /ohLo0Ooni9tu.php HTTP/1.1" 404 526 "-" "-"
61.231.93.149 - - [23/Sep/2013:11:38:28 -0500] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 404 526 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
61.231.93.149 - - [23/Sep/2013:11:38:33 -0500] "CONNECT mx3.mail2000.com.tw:25 HTTP/1.0" 200 8473 "-" "-"
66.58.248.72 - - [23/Sep/2013:17:53:28 -0500] "\x80w\x01\x03\x01" 400 324 "-" "-"
36.231.254.239 - - [24/Sep/2013:04:48:22 -0500] "GET http://www.google.com.tw HTTP/1.1" 200 8490 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
36.231.254.239 - - [24/Sep/2013:04:48:27 -0500] "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0" 200 8896 "-" "-"
61.228.95.9 - - [24/Sep/2013:07:47:38 -0500] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 404 526 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
61.228.95.9 - - [24/Sep/2013:07:47:39 -0500] "CONNECT mx2.mail2000.com.tw:25 HTTP/1.0" 200 8896 "-" "-"
184.90.189.155 - - [24/Sep/2013:07:51:09 -0500] "\x80w\x01\x03\x01" 400 324 "-" "-"
70.89.92.5 - "" [25/Sep/2013:07:45:59 -0500] "GET /manager/html HTTP/1.1" 404 526 "-" "Mozilla/3.0 (compatible; Indy Library)"
192.187.96.94 - - [25/Sep/2013:08:23:03 -0500] "CONNECT 80.79.119.248:80 HTTP/1.1" 200 8489 "-" "-"

Specifically, entries like the following:

111.248.56.25 - - [23/Sep/2013:03:27:21 -0500] "GET  http://www.google.co.jp HTTP/1.1" 200 8912 "-" "Mozilla/5.0 (compatible;  MSIE 9.0; Windows NT 6.1; Trident/5.0)"
111.248.56.25 - - [23/Sep/2013:03:27:23 -0500] "CONNECT mta6.am0.yahoodns.net:25 HTTP/1.0" 200 8896 "-" "-"

If I understand this log entry correctly, 11.248.56.25 is trying to use my web server as a proxy, perhaps to send spam, to mta6.am0.yahoodns.net:25?? Or perhaps hiding behind my address to probe those servers? I’m concerned that my server seems to be returning “200”, or success. I don’t know what the other return code is, in this case 8912 and 8896.

In the following example, 192.187.96.94 first seems to be using my web server as a proxy to connect to 80.79.119.248:80 ← a web server, and the return code is 200. Then 192.187.96.94 tries to use my web server as a proxy to get a file “/ohLo0Ooni9tu.php”, and is told the file doesn’t exist. Is 192.187.96.94 trying to get this file from my server, or 80.79.119.248???

192.187.96.94 - - [23/Sep/2013:08:57:27 -0500] "CONNECT 80.79.119.248:80 HTTP/1.1" 200 8489 "-" "-"
192.187.96.94 - - [23/Sep/2013:08:57:27 -0500] "GET /ohLo0Ooni9tu.php HTTP/1.1" 404 526 "-" "-"

So after all this, what I’m looking for is advice for how to not allow my server to be used as a proxy server to send spam, or to probe other servers. I’m not loading mod_proxy, so why is my server returning a 200?

Thank you for any advice you can give, I appreciate it.
Cheers,
Terry.

Are you sure you do not have mod_proxy enabled because the log does say that it forwards ok the request… This could be a problem.

Could you maybe try and use it yourself as a proxy?

The latter one I would get used to them, the automatic exploit scanners will come and go. I rarely (read close to never) got an answer back when reporting a compromised machine that was scanning.

I also noticed some HTTPS / SSL handshake trials in the log and tomcats default manager scan.

Do you hide the server info with:

ServerTokens ProductOnly

 ServerSignature Off

If not, I think in the header you will see all the loaded mods.

Cheers.

Thanks for the reply, ghostintheruins.
I set these as you suggested:

ServerTokens ProductOnly
  ServerSignature Off

I tried to use my server as a proxy, but I’m not sure if I’m doing it right:

wget --save-headers http://myservername.com --post-data="CONNECT http://www.google.com"

I also tried:

nc myservername.com 80
"GET www.google.com HTTP/1.1"

These are the various messages I could generate to the access_log:

127.0.0.1 - - [25/Sep/2013:16:48:05 -0500] "GET / HTTP/1.1" 200 8924 "-" "Wget/ (linux-gnu)"
127.0.0.1 - - [25/Sep/2013:16:50:05 -0500] "POST / HTTP/1.1" 200 8924 "-" "Wget/ (linux-gnu)"
127.0.0.1 - - [25/Sep/2013:17:06:37 -0500] "GET / HTTP/1.1" 400 226 "-" "-"
127.0.0.1 - - [25/Sep/2013:17:08:36 -0500] "GET http://www.google.com HTTP/1.1" 400 226 "-" "-"
127.0.0.1 - - [25/Sep/2013:17:09:18 -0500] "\"GET www.google.com HTTP/1.1\"" 400 226 "-" "-"

Since the results of nc are pretty close to what I’m seeing in my logs I guess I’m gonna have to read the nc man page pretty thoroughly.
I think this has me going down the right path anyway.

Thanks again!
Cheers,
Terry.

Hello,

I would also suggest that you try to use your machine as a proxy from the “world”, i.e. from a machine outside your LAN and not from the machine itself (127…). That would mean that you can try and set your external (static?) IP as a proxy for an internet browser (e.g. firefox) and see if it works.

Your tests there, while they might get you somewhere, are not that relevant unless you have in the config a “Deny all” statement which would include localhost (127…) too.

Also, if you look to harden your web server further, try a google search for “apache hardening” or similar.

Cheers.