1

when I checked my nginx access.log I detected some unknown entries.

Here is an example of such an entry:

119.96.41.183 - - [14/Aug/2013:07:56:51 +0200] "GET http://www.baidu.com/ HTTP/1.1" 302 160 "http://www.baidu.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2$
219.154.5.176 - - [14/Aug/2013:10:48:38 +0200] "GET http://www.baidu.com/ HTTP/1.1" 302 160 "http://www.baidu.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2$

Also there are other Entries I do not know if I should worry about:

91.121.123.161 - - [11/Aug/2013:09:33:58 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%$

I am running nginx 1.4.1 with php5-fpm on Debian wheezy. As control panel I am using ISPConfig on Port 8080 (default).

What can I do?

Blicc
  • 11
  • 2
  • Hum, is your nginx configured as a proxy ? – mveroone Aug 14 '13 at 09:48
  • I have not configured it as an proxy. How can I check? – Blicc Aug 14 '13 at 09:49
  • You would see directives named "proxy_pass" or "proxy*" in your configuration file. here, those ip addresses are asking for an external websites to YOUR server, which is exactly how you would use a proxy. And nginx responded "302" which means "Moved temporarly". So he's effectively responding like a proxy would. If this server isn't a proxy, I don't know why this happens and your question is intresting. – mveroone Aug 14 '13 at 10:02
  • There is nothing like proxy in any of my configuration files, not in in /etc/nginx.conf and also not in /etc/nginx/sites-available. Can this be an issue because ISPConfig is listening on port 8080 which is normally used for proxies? – Blicc Aug 14 '13 at 10:10
  • 4
    You're being scanned for various security holes. Welcome to the Internet. – Michael Hampton Aug 14 '13 at 13:14
  • So this is "just" scanning and nothing I have to worry about? – Blicc Aug 14 '13 at 13:16

1 Answers1

1

I would suggest you take a look at this Q&A : https://security.stackexchange.com/questions/41078/url-from-another-domain-in-my-access-log

You are asking more or less the same question.

As for the answer, apart from making sure your server is secure, there is not much you can do :)

I know this is quite an old entry but it is still valid. Because I cannot leave a comment, I am replying here

Community
  • 1
LyK
  • 113
  • 4