[12/Sep/2020:05:50:56 +0000] "GET http://example.com/ HTTP/1.1" 200 3421 "-" "Go-http-client/1.1"
My apache access logs registered this line on the server. It looks like some kind of proxy pen-test or attack.
I am trying to understand what were the intentions of the attacker and how to reproduce this to make sure the server was not compromised as it did respond with 200.
Someone wrote a program in Go to connect to servers (such as yours) and check whether they are misconfigured as open proxies. Many web servers out there are so misconfigured, and they are therefore useful to malicious actors as platforms to launch attacks without those attacks being immediately traceable back to them.
If you have enabled
ProxyRequests anywhere in your Apache configuration, you are most likely vulnerable. Unfortunately there are a few bad tutorials out on the Internet that advise enabling this when it is not required.
Assuming you haven’t enabled this directive, your server would instead serve the top level index document for the default virtual host, as you would not have a virtual host matching the hostname they requested. If you didn’t alter this configuration, it would be the "It works" page shipped by your distribution. If you did alter the default virtual host, then it would be whatever index document you specified in that configuration. In neither case would you be vulnerable to being exploited as an open proxy.
Finally, if your server was misconfigured as an open proxy, its IP address would have been shared widely and you would see a very large amount of traffic passing through in this manner, and probably some abuse complaints from your hosting provider.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.