Hi all,
I'm trying to identify what this is in my proxy access logs:
POST http://123.123.123.123/open/1
Followed by thousands of:
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1001
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1002
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1003
Obviously the actual IP is omitted (pub internet address).
Your help would make my day!
Thanks all
Correct me if I'm wrong but I'm thinking that those URLs do not contain the IP addresses of hosts accessing your proxy, but rather they are outbound POST requests FROM your 'clients' TO remote destinations.
This portion of the 2nd type URL you provided is typical of a 'folder' with a randomly generated name.
/IVmYwvJKhJFesFjK/
Folders like that are often used for legit purposes but those URLs also resemble a Slow Lorris attack. In that sort of scenario, the path and resource are arbitrary and likely don't exist. The objective is to flood the server with a bunch of requests that won't time-out, because the very end of the request header is crafted so it is purposely missing the full 0d 0a 0d 0a that the server expects.
Not really enough evidence to determine from your post.
EDIT: My first post on this forum and unfortunately, I NECROed. Sorry all..... 
This forum closes old threads automatically, that you were able to post in it means it wasn't old enough to be considered a necropost yet.