F19: Is this an httpd attack attempt?
lee
lee at yun.yagibdah.de
Wed Mar 5 01:51:00 UTC 2014
"eoconnor25 at gmail.com" <eoconnor25 at gmail.com> writes:
> What's the best way to avoid/prevent this from happening?...
>
> ----- Reply message -----
> From: "Mark Haney" <mhaney at practichem.com>
> To: <users at lists.fedoraproject.org>
> Subject: F19: Is this an httpd attack attempt?
> Date: Mon, Mar 3, 2014 11:59 am
>
>
>
>
> On 03/03/14 11:42, Dan Thurman wrote:
>>
>> It looks to me like a successful indirect connection?
>>
>> The following is taken from /var/log/httpd/access_log
>>
>> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
>> http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA
>>
>>
> HTTP/1.1" 200 5264 "-" "-"
>>
>
> It certainly looks that way. I see several of those kinds of GETs a
> day on our web servers. Not from that particular domain, but similar
> types of GETs.
>
> A quick google points to similar GET requests to that domain as far
> back as 2011, and the domain itself isn't live, just a placeholder for
> parked domain.
Could someone please explain why/how this may be considered as an attack
or at least as something bad? Someone requesting an URL from a web
server that doesn´t serve this URL --- or doesn´t serve the specified
domain at all --- could be caused by incorrect responses from name
servers, couldn´t it?
What is it in particular that would distinguish the request in question
from others?
--
Fedora release 20 (Heisenbug)
More information about the users
mailing list