F19: Is this an httpd attack attempt?
Tom Rivers
tom at impact-crater.com
Wed Mar 5 15:45:53 UTC 2014
On 3/5/2014 09:41, Tim wrote:
> Allegedly, on or about 05 March 2014, lee sent:
>> Could someone please explain why/how this may be considered as an
>> attack or at least as something bad?
> Have a look at the log line that the original poster sent:
>
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"
>
> look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^
>
> That "200" means a successful result, rather than a failure. In other
> words, what they tried to do, they did.
I've been following this discussion and decided to do some digging
myself because I run several web servers and security is important to
me. I want to share what I've found to hopefully help determine what is
happening here and ensure all of us are adequately protected. Since I
have two Linux web servers at my disposal, I used one as the proxy host
and one as the target host so I could examine the logs of both servers
and see what really happened.
The first thing I needed to do is replicate the attempt. After poking
around a bit, I came across the following example that anyone can use to
simulate this "attack":
curl -x proxyhostdomainname:80 http://targethostdomainname
Executing this command makes a request to the proxyhostdomainname server
and asks it to fetch the page at the targethostdomainname server. After
executing this command, I got the following output in the apache server
access log on the proxyhostdomainname server:
XXX.XXX.XXX.XXX - - [05/Mar/2014:09:29:31 -0600] "GET
http://targethostdomainname HTTP/1.1" 200 199
The address XXX.XXX.XXX.XXX corresponds to the third Linux system I was
using to simulate the attack. I also noted that the HTML source of the
default page hosted at proxyhostdomainname was displayed in my terminal
screen as a result of the curl command.
Now that I had successfully simulated the attack signature in the log
file of the proxy web server, I logged into the target web server and
looked at its access log. Thankfully I found no log of any activity
from my XXX.XXX.XXX.XXX workstation IP. Not wanting to leave any stone
unturned, I did a "tail -f" on the log file of the target web server and
performed the same test again. I got the same results.
Tom
More information about the users
mailing list