Home page logo
/

basics logo Security Basics mailing list archives

Re: Strange Web Server Log Entries
From: Zapotek <zapotekzsp () gmail com>
Date: Sat, 08 Dec 2007 17:07:55 +0000

Can you try to probe your server with netcat one more time, but this time request a remote web page?
Like http://google.com for example.

Hopefully it won't work.

steve menard wrote:
Don't see mod_proxy

stevem () lap:/home/stevem# sudo apache2 -M
apache2: apr_sockaddr_info_get() failed for lap.local
apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.0.1 for ServerName
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 setenvif_module (shared)
 status_module (shared)
Syntax OK



Zapotek wrote:
You probably have mod_proxy enabled by accident.
(You can get a list with the loaded modules using the following: "$
sudo apache2 -M")

The bellow link should help you:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Regards,
Zapotek.

steve menard wrote:
I would like to NOTE:
Ubuntu 7.04 AND My Laptop with Ubuntu 7.10
Apache2 my client's untouched Default Apache server on Ubuntu 7.04
replies to ANY REQUEST properly phrased

stevem () lap:~$ nc -vvv 192.168.36.36 80
server192.local [192.168.36.36] 80 (www) open
GET http://www.12.example.com/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last
modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr><tr><th
colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a
href="apache2-default/">apache2-default/</a></td><td
align="right">20-Nov-2004 16:16  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="restricted/">restricted/</a></td><td
align="right">02-Oct-2007 23:12  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif"
alt="[DIR]"></td><td><a href="squid-reports/">squid-reports/</a></td><td
align="right">07-Dec-2007 07:35  </td><td align="right">  - </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.2.3 (Ubuntu) PHP/5.2.1 Server at www.12.example.com
Port 80</address>
</body></html>
 sent 32, rcvd 1124
stevem () lap:~$


Zapotek wrote:
Sean Malloy wrote:
Dear List,

What do these entries in my Apache logs mean?

65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "GET
http://www.microsoft.com/ HTTP/1.0" 200 2770
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 405 228
65.117.101.194 - - [20/Nov/2007:09:25:39 -0600] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 260

61.152.255.46 - - [08/Sep/2007:13:24:03 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2903
61.152.255.46 - - [08/Sep/2007:13:24:07 -0500] "CONNECT
www.google.com:443 HTTP/1.0" 405 231

222.217.221.214 - - [27/Oct/2007:13:57:45 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

222.217.221.214 - - [28/Oct/2007:04:30:05 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

219.153.5.169 - - [28/Oct/2007:12:49:02 -0500] "GET
http://www.intel.com/ HTTP/1.1" 200 2770

89.122.48.186 - - [21/Nov/2007:12:42:36 -0600] "HEAD
http://www.sun.com/ HTTP/1.1" 200 0

I am especially confused about the first lines in each set. I
interpret it as "client
65.117.101.194 successfully connected to my webserver and requested
the page
http://www.microsoft.com";. It looks like someone is trying to
bounce an
attack off of my webserver. Should I be worried about these entries?

The server only servers static XHTML and CSS pages.
What's weird is the response codes.
"200 OK" on almost every proxy request, that can't be good.
Try:
$ nc -vvv your.server.tld 80
your.server.tld [0.0.0.0] 80 (www) open
GET http://www.intel.com/ HTTP/1.1


And check out the response yourself.
If you get a "400 Bad Request" you're probably safe.
.

.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]