Is there a way to block the following connections?
(excerpt from access_log):
128.193.0.28 - - [05/Sep/2003:12:23:11 +1000] "CONNECT 128.193.0.28:802 HTTP/1.0" 405 300 "-" "-" 128.193.0.28 - - [05/Sep/2003:12:23:11 +1000] "POST http://128.193.0.28:802/ HTTP/1.0" 405 297 "-" "-" 203.28.38.10 - - [05/Sep/2003:12:23:15 +1000] "CONNECT 203.28.38.10:6667 HTTP/1.0" 405 300 "-" "-" 203.28.38.10 - - [05/Sep/2003:12:23:15 +1000] "POST http://203.28.38.10:6667/ HTTP/1.0" 405 297 "-" "-"
I figure there's no point in blocking by specific IP addresses, seeing as they don't seem to originate from any one IP...
Ideas?
Comments
It looks like apache is denying it already, Its just keeping a log of it so you know.
I tried telnetting to localhost:80 and issuing 'CONNECT <some IP>' and it fed back to me the index page from hesperos.
The reason I'm trying to block it is every time it does that it shows up as another user online in the bar on the right.. (the Who's Online thing)
Given that they're using HTTP/1.0 and trying to post to 6667, I'd guess it's an attempted exploit of some crappy webserver that will proxy connections. Apache is safe.
Oh, I'm not terribly worried about someone exploiting the server.
I just don't like the fact that the "whos online" sidebar shows two more guests when this happens...
I'd just like the sidebar to show how many "real" users are on, u know?
Write your php script to parse the $_SERVER variables, if their not just accessing "/" from the server "hesperos.realmtech.net" then dont include them as a user accessing your site
Okay, in case anyone was wondering.. (a solution)
In my session code I've checked the following:
- Whether the Request URI starts with "http://"
- Whether the Request Method was CONNECT
If either of the above is true, the code does not initiate a session.
All smiles now :)