[SOLVED] A total of x sites probed the server

Support for security such as Firewalls and securing linux
Post Reply
irwinr12
Posts: 2
Joined: 2010/05/10 12:14:07
Contact:

[SOLVED] A total of x sites probed the server

Post by irwinr12 » 2010/05/10 21:46:06

I have the following text in my logwatch report. This is new and has happened the past few days:


[code]
--------------------- httpd Begin ------------------------


A total of 2 sites probed the server
174.133.5.250
64.120.177.26

A total of 23 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

http://purples.ycsns.com/bbs/view.asp?id=93544../../../../index.asp HTTP Response 302
http://billmackey.com/includes/forms/submit/../../../thanks.php HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../index.asp HTTP Response 302
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../ HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../index.asp HTTP Response 302
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../index.asp HTTP Response 302
http://0433.37rc.net/company/gadget/bulletins.asp?page=1&comid=119298&jobid=191086&companyname=%CA%C0%BC%CD%D1%C5%CB%BC%D1%D3%B1%DF%B7%D6%D0%A3&job=%D7%DC%BC%E0/%BE%AD%C0%ED/../../../../../../../../../../../../../../../../showcompany.asp?companyid=119298 HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../index.asp HTTP Response 302
http://www.post-ischgl.at/deutsch/ecard.php?bild=http://www.post-ischgl.at/pict/../css/../../../francais/../italiano/../francais/../francais/../css/ecards.htm HTTP Response 200
http://www.mycv.pl/?p=rem_passwd HTTP Response 200
http://hge888.ycsns.com/bbs/view.asp?action=Previous&id=93499/../../../../../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../index.asp HTTP Response 302
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../index.asp HTTP Response 302
http://cleanwave.co.kr/clean/member/a.htm?prev=/../../../../../sitemap/../../../../index.htm HTTP Response 200
http://purples.ycsns.com/bbs/view.asp?id=93544../../../../../../../../../../../../index.asp HTTP Response 302
http://www.angelyuan.blog.xdnice.com/do.php?ac=lostpasswd HTTP Response 200
http://guoguo.ycsns.com/bbs/view.asp?action=Previous&id=50697../../../../../../../../../../../../index.asp HTTP Response 302
http://www.veritaaq.ca/sections/careers/sections/subscribenotify/../../../../sections/careers/sections/careerslogin/index.php?VTQLANG=eng&type=SubscribeNotify HTTP Response 200
[/code]


In my httpd access_log, I see stuff such as:

[code]
64.120.177.26 - - [09/May/2010:04:03:41 -0500] "GET http://www.moneyhighstreet.com/investing/ HTTP/1.1" 200 16204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.flashlightworthybooks.com/q/incidents-in-the-life-of-a-slave-girl/ HTTP/1.1" 404 552 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:42 -0500] "GET http://www.moneyhighstreet.com/blogs/ HTTP/1.1" 200 17381 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.flashlightworthybooks.com/Best-Historical-Mystery-Books/600 HTTP/1.1" 200 82970 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.moneyhighstreet.com/finance-news/ HTTP/1.1" 200 32140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:44 -0500] "GET http://www.flashlightworthybooks.com/The-Best-Books-for-Lovers-of-Henry-David-Thoreau-Walden/601 HTTP/1.1" 200 70813 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.flashlightworthybooks.com/Holocaust-Non-Fiction-for-Children-Kids/604 HTTP/1.1" 200 69903 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:45 -0500] "GET http://www.moneyhighstreet.com/feature/how-to-buy-home-insurance/ HTTP/1.1" 200 21321 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.flashlightworthybooks.com/category/Americana-best-book-lists/6 HTTP/1.1" 200 56674 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:46 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance-advice.php/ HTTP/1.1" 200 10769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.flashlightworthybooks.com/category/Award-Winners-best-book-lists/59 HTTP/1.1" 200 56294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:48 -0500] "GET http://www.flashlightworthybooks.com/category/Best-Books-of-2009/121 HTTP/1.1" 200 52669 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:47 -0500] "GET http://www.moneyhighstreet.com/high-net-worth-insurance/how-to-buy-high-net-worth-home-insurance/ HTTP/1.1" 200 25802 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.flashlightworthybooks.com/category/Best-of-best-book-lists/16 HTTP/1.1" 200 73124 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:49 -0500] "GET http://www.mpconsulenze.it/mpconsulenze/index.php HTTP/1.1" 404 1446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:43 -0500] "GET http://www.eeyedating.com/index.php?dll=classads⊂=search HTTP/1.1" 302 46806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=subscribe HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.flashlightworthybooks.com/category/Biography-Memoir-best-book-lists/9 HTTP/1.1" 200 54346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.120.177.26 - - [09/May/2010:04:03:50 -0500] "GET http://www.eeyedating.com/index.php?dll=login&errorid=%C7%EB%CF%C8%B5%C7%C2%BD%CA%B9%D3%C3%B4%CB%B9%A6%C4%DC!**1 HTTP/1.1" 200 19082 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[/code]

I have two primary concerns here:

1.) Man of these requests are returning an HTTP 200 status, meaning it was a SUCCESSFUL request.
2.) The hostnames in these URLs are NOT my server. I've never heard of them. How could a request for some other hostname against my server return successfully?

Out of curiosity, I tried to reproduce this problem a couple ways:

* I tried telneting to my webserver on port 80, and issuing the same GET requests I see in my access logs. However, the same GET requests that show status 200 in my access_logs returned a 404 when I tried this method.
* I tried adding some of the above hostnames to my client machines /etc/hosts file, pointing them to my webservers IP and then accessing them with Firefox. Again, the same URLs that show status 200 in my logs came back with 404 not found. Can someone tell me how these guys are getting HTTP 200 responses from these requests??

Thanks,
-Jeremy

wedgeshot
Posts: 17
Joined: 2010/01/27 04:25:53

Re: A total of x sites probed the server

Post by wedgeshot » 2010/05/11 03:43:44

Hmmm.. First look back at your server for changes as you could be an open proxy. Look in your httpd config for "Proxy" directive sections.

Another way to tell is to configure your desktop browser proxy settings and put in your web servers IP/name and ports
and then send a few good know request and also some invalid crazy requests and see what happens on your web server.

irwinr12
Posts: 2
Joined: 2010/05/10 12:14:07
Contact:

Re: A total of x sites probed the server

Post by irwinr12 » 2010/05/11 12:50:14

Nevermind, I'm an idiot....

A few weeks ago, I set up webmin on my server. I can't access port 10000 from work, so I wanted to set up webmin behind an apache proxy. I followed the instruction on the Webmin site for setting up Webmin behind an Apache proxy, and when I was uncommenting the mod_proxy lines in httpd.conf:

[code]
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
[/code]

I followed the direction that said "Uncomment the following lines to enable the proxy server:" without releasing that I only needed to uncomment the "" line. So with "ProxyRequests On" my server became a slave to a number of remote attacks being launched against other sites.

Someone should really clarify the comments in httpd.conf to indicate that not all of those lines need to be uncommented for a 'Reverse' proxy, which is what I was trying to set up. Forward proxies will forward requests to *any* site.

The httpd access_logs should also make it more clear that the GET requests being logged aren't against my server but instead being *proxied* through the server. The requests look identical to regular GET requests aside from the fact that a hostname is included. It took me far too long to figure out what was going on.

-Jeremy

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: [SOLVED] A total of x sites probed the server

Post by AlanBartlett » 2010/05/11 16:48:29

Thank you for reporting back with your findings.

For the sake of posterity, this thread is now marked [SOLVED].

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

[SOLVED] A total of x sites probed the server

Post by richard_chapman » 2011/12/19 03:15:09

I'm not sure of the etiquette here - whether it is good to post back to a "solved" thread but...

I have similar log entries - but in my case I checked httpd.conf - and I don't have any of the mod proxy lines enabled. Specifically:
Here are my log entries:

-------
Connection attempts using mod_proxy:
187.0.79.49 -> www.fbi.gov:80: 1 Time(s)

A total of 5 sites probed the server
121.219.224.65
124.183.191.137
182.249.43.94
187.0.79.49
69.162.70.2

A total of 3 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/?file=../../../../../../proc/self/environ%00 HTTP Response 200
/?mod=../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../proc/self/environ%00 HTTP Response 200

Requests with error response codes
400 Bad Request
/../../../../../../../../boot.ini: 1 Time(s)
/../../../../../../../../etc/passwd: 1 Time(s)
null: 3 Time(s)
403 Forbidden
/: 4 Time(s)
http://www.fbi.gov/: 1 Time(s)
-------

And here is the relevant bit of httpd.conf

--------
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#
#ProxyRequests On
#
#
# Order deny,allow
# Deny from all
# Allow from .example.com
#
---------
I hope this isn't relevant - but squid is running on this machine. It is intended to only respond to "local" request.

Do you think I have anything to worry about - and in either case - any suggestions how I fix this?

Thanks

Richard.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: [SOLVED] A total of x sites probed the server

Post by pschaff » 2011/12/23 23:44:59

[quote]
richard_chapman wrote:
I'm not sure of the etiquette here - whether it is good to post back to a "solved" thread but...[/quote]
No - it is known as thread hijacking, and is warned against in the recommended reading - [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28726&forum=54]Readme First[/url].

I see your
[url=https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=34823&forum=42]new thread[/url] has yielded some results.

Post Reply