F19: Is this an httpd attack attempt?
lee
lee at yun.yagibdah.de
Thu Mar 6 10:45:07 UTC 2014
Tim <ignored_mailbox at yahoo.com.au> writes:
> Allegedly, on or about 05 March 2014, lee sent:
>> Could someone please explain why/how this may be considered as an
>> attack or at least as something bad?
>
> Have a look at the log line that the original poster sent:
>
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"
>
> look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^
>
> That "200" means a successful result, rather than a failure. In other
> words, what they tried to do, they did.
Yes --- I was wondering if perhaps some sort of error page might have
been served.
>> Someone requesting an URL from a web server that doesn´t serve this
>> URL --- or doesn´t serve the specified domain at all --- could be
>> caused by incorrect responses from name servers, couldn´t it?
>
> Not, like that. Say, for example, I try to get this page from a
> website: www.example.com/pages/test.html The browser will connect to
> example.com (presuming that DNS is working), and then it will try to
> GET /pages/test.html. The domain name will not be in the GET request.
>
> e.g. That log line would have looked like:
>
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET /?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"
>
> As a more normal use of a webserver.
I see what you mean, then entries in my log file look like that.
As Tom Rivers pointed out in his posts, his tests have shown that
someone might have used the web server as a proxy. Now there is
probably no way to determine whether what caused this log entry was
actually an attack or not, or is there?
--
Fedora release 20 (Heisenbug)
More information about the users
mailing list