Confused about what I'm seeing in my apache access log (think I might have been hacked)?
Solution 1
It's an RFC thing as detailed by Apache. By default, Apache will accept requests even if they contain invalid URIs, but instead the user will be redirected to your server's main page. The CONNECT
requests being refused is proper behavior.
As detailed in the link above, you can manually block these requests, but there's no immediate need to.
Solution 2
It almost looks as if the server is being used as a web proxy. Try disabling port 80 outbound from that IP(internal to external) and see if the logs keep showing up. If not it might be time to look into tightening down your security...
Related videos on Youtube
Geoffrey McCosker
Updated on September 18, 2022Comments
-
Geoffrey McCosker over 1 year
I have a VPS running CentOS. I installed apache and configured the access log. Just checked it and found some interesting traffic:
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET / HTTP/1.1" 200 13 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:05:53 -0500] "GET /xvidtox-china-company HTTP/1.1" 404 219 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:15:18 -0500] "GET /xdmx-rental-cars-insurance HTTP/1.1" 404 224 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:16:47 -0500] "GET /nv-life-insurance-dies-when-premium/?si=2aa54ab4c0b33 HTTP/1.1" 404 234 VPS-Hostname 119.63.196.62 119.63.196.62 - - [23/Dec/2014:19:53:55 -0500] "GET /images/misc/legend.png HTTP/1.1" 404 220 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:20:45:21 -0500] "GET /xdmx-rental-cars-insurance/?si=2467513 HTTP/1.1" 404 225 VPS-Hostname 115.159.66.44 115.159.66.44 - - [23/Dec/2014:21:49:18 -0500] "GET http://www.ly.com/ HTTP/1.1" 200 13 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:22:24:00 -0500] "GET /xpwx-china-exporters HTTP/1.1" 404 218 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:00:28:24 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... 270.vps.ovh.ca 46.246.113.109 46.246.113.109 - - [24/Dec/2014:01:47:28 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.32 119.63.196.32 - - [24/Dec/2014:01:53:20 -0500] "GET /images/forumicons/sony2.jpg HTTP/1.1" 404 225 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:02:05:02 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... VPS-Hostname 218.59.238.93 218.59.238.93 - - [24/Dec/2014:04:01:23 -0500] "GET http://proxyjudge.us/ HTTP/1.0" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:38:50 -0500] "GET http://httpheader.net HTTP/1.1" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:10 -0500] "-" 408 - VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:32 -0500] "-" 408 - VPS-Hostname 5.231.208.205 5.231.208.205 - - [24/Dec/2014:06:21:00 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:06:55:21 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.28 119.63.196.28 - - [24/Dec/2014:07:52:49 -0500] "GET /images/forumicons/latestmovies.jpg HTTP/1.1" 404 232
The first three entries are me browsing to my default site I setup, the rest I have no idea. I'm new to apache so I'm not sure exactly what is happening here. Is someone using apache on the server to connect to other sites? how is this possible?
I leave the httpd.conf with the default settings, only adding a virtual host config at the bottom to my "defaultsite":
<VirtualHost *:80> # This first-listed virtual host is also the default for *:80 ServerAdmin [email protected] ServerName my.vps.hostname DocumentRoot /var/www/defaultsite LogFormat "%v %h %a %l %u %t \"%r\" %>s %b" vhostLogFormat CustomLog /var/log/httpd/defaultsite-access.log vhostLogFormat ErrorLog /var/log/httpd/defaultsite-error.log </VirtualHost>
-
MonkeyZeus over 9 yearsLooks like your site is being poked and prodded for security holes. You can kind of ignore the requests resulting in a 404 because that means that the visitor landed on your site with an invalid URL. Not sure about those URLs with 200 responses though...
-
MonkeyZeus over 9 years
-
Geoffrey McCosker over 9 yearsThat's exactly what I was thinking! The 200 ones are to a site called proxyjudge (guess their trying to get info on the server). How are they even making these requests? Its like they are making connection requests to external sites to see if apache will deliver them? How do you do that and how can I do that? This VPS is purely for testing\learning and I don't have any sensitive data on it so I'm hoping to use this as a neat learning experience.
-
MonkeyZeus over 9 yearsAccording to your logs your server is probably not falling victim to these proxying attempts because you can see that all of those URL requests responded with only 13 bytes of data so Apache is basically serving a blank page rather than requesting the site being specified.
-
Geoffrey McCosker over 9 yearsThat's interesting I'll take note of that. Could it be server my default page? Its is just a blank page that says DEFAULT SITE
-
MonkeyZeus over 9 yearsNot quite sure, I've never tried it out.
DEFAULT SITE
is only 12 bytes by my count but maybe there's some hidden UTF-8 control characters in that "blank page" which you are serving. -
Geoffrey McCosker over 9 yearsHa that's really cool I didn't think about actually counting the bytes of the text. I think it is my default page because if you look at my own requests you see "GET / HTTP/1.1" 200 13
-
MonkeyZeus over 9 yearsMakes sense to me. Since you have one default site, Apache is probably just serving it up. Try changing your index.html to
12345678901234567890
and if you start seeing 20/21 bytes then you will definitely know what's up.
-
-
Geoffrey McCosker over 9 yearsCool! Really glad I set up a VPS now I've never had to deal with stuff like this before. When would I need to block requests like this? If a server is really getting slammed with requests like this will blocking them possibly prevent a DOS attack?
-
MonkeyZeus over 9 years@red888 If you are worried about a DOS/DDOS attack then you can benchmark your site to see how much traffic it handle exactly. In your Apache bin folder you will find a program called ab so you can do
ab -n 1000 -c 50 http://www.yoursite.com/
. This command will create a thousand entries in your log though.