On Mon, Nov 05, 2007 at 01:07:13PM -0700, Ashley M. Kirchner wrote: > I noticed these entries in my apache log today: > > 60.250.66.175 - - [01/Nov/2007:04:41:01 -0600] "CONNECT > 218.32.192.11:25 HTTP/1.0" 200 12439 "-" "-" > 60.250.66.175 - - [01/Nov/2007:04:41:04 -0600] "CONNECT > 61.31.198.50:25 HTTP/1.0" 200 12439 "-" "-" > 60.250.66.175 - - [01/Nov/2007:04:43:28 -0600] "CONNECT > 60.249.125.71:25 HTTP/1.0" 200 12439 "-" "-" > 159.148.97.91 - - [02/Nov/2007:22:01:40 -0600] "CONNECT > 195.175.37.70:8080 HTTP/1.0" 200 14301 "-" "-" > 159.148.97.91 - - [02/Nov/2007:22:01:41 -0600] "CONNECT > 159.148.96.222:80 HTTP/1.0" 200 14301 "-" "-" > > And while the first two are specifically targeting port 25, the > other two aren't But more importantly, how is this being done, and how > do I stop it? Did I forgot to disable something within Apache somewhere? You'll get a 200 response sent from such CONNECT requests if you have (e.g.) a PHP page handling the / page for your server. That does not mean the server is allowing port forwarding! By default, httpd will not allow CONNECT requests to remote servers. If ProxyRequests is enabled, it will allow CONNECT requests to ports 443 and 563 only. (ProxyRequests should not be enabled unless the server is acting as a proxy server, of course!) http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect joe
