The macosxhints Forums
Page 2 of 2 1 2
Show 100 post(s) from this thread on one page

The macosxhints Forums (http://hintsforums.macworld.com/index.php)
-   UNIX - Newcomers (http://hintsforums.macworld.com/forumdisplay.php?f=15)
-   -   worrying Apache logs (http://hintsforums.macworld.com/showthread.php?t=17462)

daedlus 12-09-2004 08:22 PM
Just a thought
 
Hi all.

I registered basically just to pass this info on, so I will probably only say it once, which is why I will try and cover it well.

The problem you are experiencing is actually fairly common. In this day and age the average web server gets hit around 10 times daily with the new "0-dayZ IIS exploit OMG". That being said, my own servers get hit quite a lot.

A little while ago, this was bugging me so I decided to look into the logs and whatnot. What do I find? The standard SEARCH testing for the popular IIS exploit, and proxy requests. Lots of them. And to be honest, I really didn't care. They were all getting bumped off. Except the last one. (Note last one, it's actually significant.)

The last request got a 200. (To go to ebay.com I might add... Maybe somebody trying to 419 or whatnot?) That freaked me out a little. Ethereal poped open, so did my browser, and I did a quick system search for recently modified files. (Anything that was modified about 5 minutes before the proxy request got a 200.) I didn't catch anyone in the act with Ethereal, and as for the web, the only site with some decent information was this one. However, it was lacking something, an answer.

The answer is actually very simple. If you look at what you get when you do a timestamp search, you get a long list of files, usually ending with system files. Not the kind of stuff you would want to mess with right? Wrong. If you look closely, you'll see /etc/hosts.deny is in that list. Why? Think about it... Isn't it weird that file got modified at all? Well, that got my attention, but a quick cat /etc/hosts.deny answered ALL my questions.

Correlate the /etc/hosts.deny with your apache access_log and you find something very interesting. The IP that got the 200 to the proxy request is also in the hosts.deny file. Why could that be? Well, the firewall blocked his IP out, that's why. It's really that simple. Think about it for a second. When you try and access a web server that is "Forbidden", does it say "Page not found" or "You are forbidden access to this page!"? It says forbidden, obviously. Well, if you SEE the forbidden error page, then the server is telling you something. Hence a 200. Except the 200 brings you nowhere.

Now, the other possibility is that the firewall simply blocked the IP using hosts.deny and is sending them 200-Ok to any and all requests, but no data on the wire. Either way, you have nothing to fear. Unless I'm wrong that is, but even if I am wrong, the IP is STILL on the deny list, so they can't even talk to your computer. Problem solved. And it solved itself like a grown-up, all by itself. I'd like to see Microsoft make it's software do this. :)

BTW: IANAMU - I am not a mac user. However, I am a linux user that knows a little bit about security.

I hope this helped dropped some people's blood pressure. There shouldn't be much to worry about really. HOWEVER, please ALWAYS keep an eye on your logs if you're running a server. Not only will you be doing yourself a favor, but you'll be helping the entire net get rid of these kids. And as far as I'm concerned, you probably should send a copy of your logs to your service provider, telling them about who is trying to use what exploit on you and from what IP. They would certainly appreciate being able to nail a few kiddies. (Although most of them use proxies, proxies have logs which can be inspected to trace back to the source.)

Whatever option you chose, be safe, check your logs every once in a while and if something doesn't look quite right, it's probably not so check it out.

PS: For anyone who even wants to start saying that macs are better or pcs are better, the fact of the matter is I don't care which is better. The OS is only as good the person behind the keyboard. If you're a moron and THINK that some OS is better than another without actually taking the time to learn how to use it well, then you DESERVE to be flamed.

darndog 12-14-2004 06:14 AM
Hmm, Interesting but I would have expected Apache to send a 403 for forbidden, and if that IP is blocked by your firewall, Apache should not have even got a request, as for the get "somewhere" 200 logs I discovered this was actually default behaviour, Apache just assumes that 'ebay.com' is a domain pointed to your server so sends the default page. Explanation from the Apache docs below:

Why do I see requests for other sites appearing in my log files?

A an access_log entry showing this situation could look like this:

63.251.56.142 - - [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/ HTTP/1.0" 200 1456


The question is: why did a request for www.yahoo.com come to your server instead of Yahoo's server? And why does the response have a status code of 200 (success)?


This is usually the result of malicious clients trying to exploit open proxy servers to access a website without revealing their true location. If you find entries like this in your log, the first thing to do is to make sure you have properly configured your server not to proxy for unknown clients. If you don't need to provide a proxy server at all, you should simply assure that the ProxyRequests directive is not set on. If you do need to run a proxy server, then you must ensure that you secure your server properly so that only authorized clients can use it.


If your server is configured properly, then the attempt to proxy through your server will fail. If you see a status code of 404 (file not found) in the log, then you know that the request failed. If you see a status code of 200 (success), that does not necessarily mean that the attempt to proxy succeeded. RFC2616 section 5.1.2 mandates that Apache must accept requests with absolute URLs in the request-URI, even for non-proxy requests. Since Apache has no way to know all the different names that your server may be known under, it cannot simply reject hostnames it does not recognize. Instead, it will serve requests for unknown sites locally by stripping off the hostname and using the default server or virtual host. Therefore you can compare the size of the file (1456 in the above example) to the size of the corresponding file in your default server. If they are the same, then the proxy attempt failed, since a document from your server was delivered, not a document from www.yahoo.com.


If you wish to prevent this type of request entirely, then you need to let Apache know what hostnames to accept and what hostnames to reject. You do this by configuring name-virtual hosts, where the first listed host is the default host that will catch and reject unknown hostnames. For example:


NameVirtualHost *

<VirtualHost *>
ServerName default.only
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>

<VirtualHost *>
ServerName realhost1.example.com
ServerAlias alias1.example.com alias2.example.com
DocumentRoot /path/to/site1
</VirtualHost>


All times are GMT -5. The time now is 10:43 PM.
Page 2 of 2 1 2
Show 100 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.