F19: Is this an httpd attack attempt?

Tom Rivers tom at impact-crater.com
Wed Mar 5 15:45:53 UTC 2014 

On 3/5/2014 09:41, Tim wrote:
> Allegedly, on or about 05 March 2014, lee sent:
>> Could someone please explain why/how this may be considered as an
>> attack or at least as something bad?
> Have a look at the log line that the original poster sent:
>
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"
>
> look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^
>
> That "200" means a successful result, rather than a failure.  In other
> words, what they tried to do, they did.

I've been following this discussion and decided to do some digging 
myself because I run several web servers and security is important to 
me.  I want to share what I've found to hopefully help determine what is 
happening here and ensure all of us are adequately protected.  Since I 
have two Linux web servers at my disposal, I used one as the proxy host 
and one as the target host so I could examine the logs of both servers 
and see what really happened.

The first thing I needed to do is replicate the attempt.  After poking 
around a bit, I came across the following example that anyone can use to 
simulate this "attack":

curl -x proxyhostdomainname:80 http://targethostdomainname

Executing this command makes a request to the proxyhostdomainname server 
and asks it to fetch the page at the targethostdomainname server.  After 
executing this command, I got the following output in the apache server 
access log on the proxyhostdomainname server:

XXX.XXX.XXX.XXX - - [05/Mar/2014:09:29:31 -0600] "GET 
http://targethostdomainname HTTP/1.1" 200 199

The address XXX.XXX.XXX.XXX corresponds to the third Linux system I was 
using to simulate the attack.  I also noted that the HTML source of the 
default page hosted at proxyhostdomainname was displayed in my terminal 
screen as a result of the curl command.

Now that I had successfully simulated the attack signature in the log 
file of the proxy web server, I logged into the target web server and 
looked at its access log.  Thankfully I found no log of any activity 
from my XXX.XXX.XXX.XXX workstation IP.  Not wanting to leave any stone 
unturned, I did a "tail -f" on the log file of the target web server and 
performed the same test again.  I got the same results.


Tom

More information about the users mailing list