Trying to understand this apache log line

ericbae asked:

In access.log file in my Apache, there are a few “get” requests, which I do not undetstand. For example.

www.postatic.com:80 115.210.66.30 - - [12/Nov/2014:12:36:31 +1100] "GET http://www.cx75planet.ru/XpycT/mimmalina/gost/guest.php HTTP/1.0" 404 60772 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

Now www.postatic.com is my website. It’s a content-oriented site, where users can create a forum and let people post things (similar to Reddit).

But in the above line, it looks like a user from 115.210.66.30 came to my site and tried to go to

http://www.cx75planet.ru/XpycT/mimmalina/gost/guest.php

But I cannot find above URL ANYWHERE in my site. I store all the links posted by the users in the DB, but can’t find it anywhere.

Am I interpreting it right?

My answer:


Someone is trying to determine if your web server is an open proxy server and is trying to relay malicious traffic through it.

Fortunately, you don’t actually have an open proxy and the traffic isn’t going anywhere, but it is also filling up your logs and eating up your bandwidth.

I would recommend you set a default virtual host that serves any web site not specifically named in other virtual hosts, and that only returns a 403 error for all requests. They will eventually get the message and go away. The default virtual host on a Red Hat based system already does this (that nice test page is also a 403 error); I don’t know about Ubuntu.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.