Since I last posted on this I have read up a bit more about the “hacks” that I have been getting. I have also seen some requests from bots looking to use my server as a free proxy to other sites.

The requests appear in the log as so:

{.js name="code"} - [13/Feb/2011:12:21:18 +0000] "GET / HTTP/1.1" 200 275 "" " telnet (MSIE compatible)"

They appear to have successfully managed to tunnel a url request through my server and get the response back. After some searching, I found a very useful tool to see what response that the bot was actually getting.

``` {.js name=”code”} telnet 80 GET / HTTP/1.1 Host: User-Agent: telnet (MSIE compatible) Referer: Connection: Close

HTTP/1.1 200 OK // The request was fulfilled. (HTTP OK)

Connection: close Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: “299410394” Last-Modified: Tue, 01 Feb 2011 22:01:04 GMT Content-Length: 275 Date: Sun, 13 Feb 2011 12:29:06 GMT Server: lighttpd

Matthew Reid

You are now being re-directed to the homepage


as you can see, my server was actually serving up the main index.html page and ignoring the fact that the request it trying to get to (i have changed the url for obvious reasons) phew!


One thing this did bring up was that by getting a 200 response, the attacker can see exactly which server and version I was using. I have now changed this information in the config to confuse any future potential attackers.



Matt Reid

Lead Software Architect. Java & Js enthusiast, badminton lover, foodie.

drei01 Matthew_Reid