[SOLVED] A total of x sites probed the server
Posted: 2010/05/10 21:46:06
I have the following text in my logwatch report. This is new and has happened the past few days:
[code]
--------------------- httpd Begin ------------------------
A total of 2 sites probed the server
174.133.5.250
64.120.177.26
A total of 23 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../index.asp HTTP Response 302
http://billmackey.com/includes/forms/submit/../../../thanks.php HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../index.asp HTTP Response 302
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../showcompany.asp?companyid=119298 HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ecards.htm HTTP Response 200
http://www.mycv.pl/?p=rem_passwd HTTP Response 200
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../index.asp HTTP Response 302
http://cleanwave.co.kr/clean/member/a.htm?prev=/../../../../../sitemap/../../../../index.htm HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../../../index.asp HTTP Response 302
http://www.angelyuan.blog.xdnice.com/do.php?ac=lostpasswd HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../../../index.asp HTTP Response 302
http://www.veritaaq.ca/sections/careers/sections/subscribenotify/../../../../sections/careers/sections/careerslogin/index.php?VTQLANG=eng&type=SubscribeNotify HTTP Response 200
[/code]
In my httpd access_log, I see stuff such as:
[code]
64.120.177.26 - - [09/May/2010:04:03:41 -0500] "GET http://www.moneyhighstreet.com/investing/ HTTP/1.1" 200 16204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.flashlightworthybooks.com/q/incidents-in-the-life-of-a-slave-girl/ HTTP/1.1" 404 552 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.moneyhighstreet.com/blogs/ HTTP/1.1" 200 17381 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.flashlightworthybooks.com/Best-Historical-Mystery-Books/600 HTTP/1.1" 200 82970 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.moneyhighstreet.com/finance-news/ HTTP/1.1" 200 32140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:44 -0500] "GET http://www.flashlightworthybooks.com/The-Best-Books-for-Lovers-of-Henry-David-Thoreau-Walden/601 HTTP/1.1" 200 70813 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.flashlightworthybooks.com/Holocaust-Non-Fiction-for-Children-Kids/604 HTTP/1.1" 200 69903 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.moneyhighstreet.com/feature/how-to-buy-home-insurance/ HTTP/1.1" 200 21321 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.flashlightworthybooks.com/category/Americana-best-book-lists/6 HTTP/1.1" 200 56674 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance-advice.php/ HTTP/1.1" 200 10769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.flashlightworthybooks.com/category/Award-Winners-best-book-lists/59 HTTP/1.1" 200 56294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:48 -0500] "GET http://www.flashlightworthybooks.com/category/Best-Books-of-2009/121 HTTP/1.1" 200 52669 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance/how-to-buy-high-net-worth-home-insurance/ HTTP/1.1" 200 25802 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.flashlightworthybooks.com/category/Best-of-best-book-lists/16 HTTP/1.1" 200 73124 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.mpconsulenze.it/mpconsulenze/index.php HTTP/1.1" 404 1446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.eeyedating.com/index.php?dll=classads⊂=search HTTP/1.1" 302 46806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=subscribe HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.flashlightworthybooks.com/category/Biography-Memoir-best-book-lists/9 HTTP/1.1" 200 54346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=login&errorid=%C7%EB%CF%C8%B5%C7%C2%BD%CA%B9%D3%C3%B4%CB%B9%A6%C4%DC!**1 HTTP/1.1" 200 19082 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[/code]
I have two primary concerns here:
1.) Man of these requests are returning an HTTP 200 status, meaning it was a SUCCESSFUL request.
2.) The hostnames in these URLs are NOT my server. I've never heard of them. How could a request for some other hostname against my server return successfully?
Out of curiosity, I tried to reproduce this problem a couple ways:
* I tried telneting to my webserver on port 80, and issuing the same GET requests I see in my access logs. However, the same GET requests that show status 200 in my access_logs returned a 404 when I tried this method.
* I tried adding some of the above hostnames to my client machines /etc/hosts file, pointing them to my webservers IP and then accessing them with Firefox. Again, the same URLs that show status 200 in my logs came back with 404 not found. Can someone tell me how these guys are getting HTTP 200 responses from these requests??
Thanks,
-Jeremy
[code]
--------------------- httpd Begin ------------------------
A total of 2 sites probed the server
174.133.5.250
64.120.177.26
A total of 23 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../index.asp HTTP Response 302
http://billmackey.com/includes/forms/submit/../../../thanks.php HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../index.asp HTTP Response 302
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../showcompany.asp?companyid=119298 HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ecards.htm HTTP Response 200
http://www.mycv.pl/?p=rem_passwd HTTP Response 200
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../index.asp HTTP Response 302
http://cleanwave.co.kr/clean/member/a.htm?prev=/../../../../../sitemap/../../../../index.htm HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../../../index.asp HTTP Response 302
http://www.angelyuan.blog.xdnice.com/do.php?ac=lostpasswd HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../../../index.asp HTTP Response 302
http://www.veritaaq.ca/sections/careers/sections/subscribenotify/../../../../sections/careers/sections/careerslogin/index.php?VTQLANG=eng&type=SubscribeNotify HTTP Response 200
[/code]
In my httpd access_log, I see stuff such as:
[code]
64.120.177.26 - - [09/May/2010:04:03:41 -0500] "GET http://www.moneyhighstreet.com/investing/ HTTP/1.1" 200 16204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.flashlightworthybooks.com/q/incidents-in-the-life-of-a-slave-girl/ HTTP/1.1" 404 552 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.moneyhighstreet.com/blogs/ HTTP/1.1" 200 17381 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.flashlightworthybooks.com/Best-Historical-Mystery-Books/600 HTTP/1.1" 200 82970 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.moneyhighstreet.com/finance-news/ HTTP/1.1" 200 32140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:44 -0500] "GET http://www.flashlightworthybooks.com/The-Best-Books-for-Lovers-of-Henry-David-Thoreau-Walden/601 HTTP/1.1" 200 70813 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.flashlightworthybooks.com/Holocaust-Non-Fiction-for-Children-Kids/604 HTTP/1.1" 200 69903 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.moneyhighstreet.com/feature/how-to-buy-home-insurance/ HTTP/1.1" 200 21321 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.flashlightworthybooks.com/category/Americana-best-book-lists/6 HTTP/1.1" 200 56674 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance-advice.php/ HTTP/1.1" 200 10769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.flashlightworthybooks.com/category/Award-Winners-best-book-lists/59 HTTP/1.1" 200 56294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:48 -0500] "GET http://www.flashlightworthybooks.com/category/Best-Books-of-2009/121 HTTP/1.1" 200 52669 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance/how-to-buy-high-net-worth-home-insurance/ HTTP/1.1" 200 25802 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.flashlightworthybooks.com/category/Best-of-best-book-lists/16 HTTP/1.1" 200 73124 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.mpconsulenze.it/mpconsulenze/index.php HTTP/1.1" 404 1446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.eeyedating.com/index.php?dll=classads⊂=search HTTP/1.1" 302 46806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=subscribe HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.flashlightworthybooks.com/category/Biography-Memoir-best-book-lists/9 HTTP/1.1" 200 54346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=login&errorid=%C7%EB%CF%C8%B5%C7%C2%BD%CA%B9%D3%C3%B4%CB%B9%A6%C4%DC!**1 HTTP/1.1" 200 19082 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[/code]
I have two primary concerns here:
1.) Man of these requests are returning an HTTP 200 status, meaning it was a SUCCESSFUL request.
2.) The hostnames in these URLs are NOT my server. I've never heard of them. How could a request for some other hostname against my server return successfully?
Out of curiosity, I tried to reproduce this problem a couple ways:
* I tried telneting to my webserver on port 80, and issuing the same GET requests I see in my access logs. However, the same GET requests that show status 200 in my access_logs returned a 404 when I tried this method.
* I tried adding some of the above hostnames to my client machines /etc/hosts file, pointing them to my webservers IP and then accessing them with Firefox. Again, the same URLs that show status 200 in my logs came back with 404 not found. Can someone tell me how these guys are getting HTTP 200 responses from these requests??
Thanks,
-Jeremy