F19: Is this an httpd attack attempt?

Wed Mar 5 14:41:29 UTC 2014

Allegedly, on or about 05 March 2014, lee sent:
> Could someone please explain why/how this may be considered as an
> attack or at least as something bad?

Have a look at the log line that the original poster sent:

185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"

look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^

That "200" means a successful result, rather than a failure.  In other
words, what they tried to do, they did.

You'd want nefarious attempts to fail.  If it failed, there'd be a
different HTTP response code, there (one of the four-hundreds or
five-hundreds, depending on whether it's a client error, or server
error).

> Someone requesting an URL from a web server that doesn´t serve this
> URL --- or doesn´t serve the specified domain at all --- could be
> caused by incorrect responses from name servers, couldn´t it?

Not, like that.  Say, for example, I try to get this page from a
website:  www.example.com/pages/test.html  The browser will connect to
example.com (presuming that DNS is working), and then it will try to
GET /pages/test.html.  The domain name will not be in the GET request.

e.g. That log line would have looked like:

185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET /?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"

As a more normal use of a webserver.

Even requests made of virtual hosts, don't put the domain name into the
GET request.  Hostnames are handled elsewhere in the connection (during
the connection, not at the request after the connection).

And even something like crap webmastering/typing, that did something
wrong like trying to connect to:

 http://www.example.com/http://www.example.com/pages/test.html

Would result in a different appearance in the log.  You'd see it
prepended with a slash, and a 404 error code instead of 200.

192.168.1.181 - - [06/Mar/2014:01:06:17 +1030] "GET /http://www.example.com/pages/test.html. HTTP/1.1" 404 407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36"

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.