Thursday, April 03, 2008

proxy servers 3: what one looks like in an error log

We have already seen that some of the IPs that we've been tracking are Rogers' proxy servers (see here and, especially, here).  Now that we know what to look for, it's not difficult to find confirmation of this.  One example can be seen Nukecops.com, a help-forum for php-nuke, a web-based news publishing and content-management system.  In May 2004, a user "tuxx" asked for advice and posts his error logs, which I want to quote two chunks of.  First, this (which I have added colour to; "tuxx" had replaced the name of his site with "sitename.com" for privacy):
    9993 admin65 /usr/bin/php UNIQUE_ID=usp-9EIxsZcAAGzF610AAABb HTTP_X_FORWARDED_FOR=24.150.44.231 SERVER_PORT=80 HTTP_HOST=sitename.com DOCUMENT_ROOT=/var/www/html SCRIPT_FILENAME=/var/www/html/index232.php REQUEST_URI=/index232.php SCRIPT_NAME=/index232.php HTTP_VIA=1.0 wc09 (NetCache NetApp/5.5R3) SCRIPT_URI=http://sitename.com/index232.php HTTP_CONNECTION=keep-alive PATH_INFO=/index232.php REMOTE_PORT=63754 PATH=/usr/local/bin:/usr/bin:/bin SCRIPT_URL=/index232.php PWD=/var/www/interpreters SERVER_ADMIN=email@sitename.com REDIRECT_STATUS=200 SITE_CGIROOT=/var/www/cgi-bin HTTP_ACCEPT_LANGUAGE=en PATH_TRANSLATED=/var/www/html/index232.php HTTP_ACCEPT=*/* SITE_HTMLROOT=/var/www/html REMOTE_ADDR=66.185.85.76 SHLVL=1 SERVER_NAME=www.sitename.com SERVER_SOFTWARE=Apache/2.0.48 (Fedora) QUERY_STRING= SITE_ROOT=/ SERVER_ADDR=66.49.180.189 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REDIRECT_URL=/index232.php REQUEST_METHOD=GET _=/usr/bin/php
Here we see the tell-tale signs of a proxy. The "HTTP_VIA=1.0" shows that a proxy is being used, that it's name is "wc09", and that it using Net Appliances version 5.5R3. The "HTTP_X_FORWARDED_FOR" header shows the IP that the traffic is being fowarded for. And the "REMOTE_ADDR=" header introduced the IP of the proxy, in this case 66.185.85.76 (= wc09.ym.rnc.net.cable.rogers.com).  (For a quick tutorial, see here.)

In his search for help "tuxx" has included several other passages from his error logs including this:
    9787 admin65 /usr/bin/php UNIQUE_ID=uTVIYUIxsZcAAGx8VC4AAABQ HTTP_X_FORWARDED_FOR=24.150.44.231 SERVER_PORT=80 HTTP_HOST=sitename.com DOCUMENT_ROOT=/var/www/html SCRIPT_FILENAME=/var/www/html/index232.php REQUEST_URI=/index232.php SCRIPT_NAME=/index232.php HTTP_VIA=1.0 wc09 (NetCache NetApp/5.5R3) SCRIPT_URI=http://sitename.com/index232.php HTTP_CONNECTION=keep-alive PATH_INFO=/index232.php REMOTE_PORT=5350 PATH=/usr/local/bin:/usr/bin:/bin SCRIPT_URL=/index232.php PWD=/var/www/interpreters SERVER_ADMIN=email@sitename.com REDIRECT_STATUS=200 SITE_CGIROOT=/var/www/cgi-bin HTTP_ACCEPT_LANGUAGE=en PATH_TRANSLATED=/var/www/html/index232.php HTTP_ACCEPT=*/* SITE_HTMLROOT=/var/www/html REMOTE_ADDR=66.185.84.204 SHLVL=1 SERVER_NAME=www.sitename.com SERVER_SOFTWARE=Apache/2.0.48 (Fedora) QUERY_STRING= SITE_ROOT=/ SERVER_ADDR=66.49.180.189 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REDIRECT_URL=/index232.php REQUEST_METHOD=GET _=/usr/bin/php
Again, we see a proxy at work.  This time it is our old friend 66.185.84.204 = wc09.mtnk.rnc.net.cable.rogers.com, which again is shown to be a proxy.

When was this? The date of tuxx's post is May 18, 2004.  We have already seen here that truehits.net had listed 66.185.84.204 as a proxy in early 2003.  Apparently it was still one in 2004.