You are not logged in.
- Topics: Active | Unanswered
#1 2023-05-11 10:29:29
- furger
- Member
- Registered: 2023-05-11
- Posts: 2
Weird apache POST logs request is running as root
I have doubts about the security of the current version of apache
I started the apache + php74 server and after a while some scanner did this:
45.95.169.240 - root [11/May/2023:11:58:18 +0300] "GET / HTTP/1.1" 200 13671
45.95.169.240 - root [11/May/2023:11:58:31 +0300] "POST /dvr/cmd HTTP/1.1" 403 -
45.95.169.240 - root [11/May/2023:11:58:43 +0300] "POST /cn/cmd HTTP/1.1" 403 -Here you can see that the request was made as root, although I run the server as a regular user. Soatl requests look like this:
127.0.0.1 - - [11/May/2023:12:49:35 +0300] "POST / HTTP/1.1" 403 -I searched on the Internet and did not find anything about this, in the entire history of accessing the server from the outside there were no more such cases.
My httpd.conf: https://hastebin.com/share/iwefecuqez.bash
Offline
#2 2023-05-11 12:08:47
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,975
- Website
Re: Weird apache POST logs request is running as root
# id usermacro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#3 2023-05-11 15:19:25
- furger
- Member
- Registered: 2023-05-11
- Posts: 2
Re: Weird apache POST logs request is running as root
# id user
And? Answer on a normal explain why "- root" and not "- -"
Last edited by furger (2023-05-11 15:19:46)
Offline
#4 2023-05-11 15:34:24
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,017
Re: Weird apache POST logs request is running as root
Not sure what your gibberish is meant to say, but I'm pretty sure shard was interested in the output because of
User user
Group userOffline
#5 2023-05-12 05:31:46
- 3beb6e7c46a615a
- Member
- Registered: 2021-03-27
- Posts: 165
Re: Weird apache POST logs request is running as root
Before you start to panic please understand what you actually see there. According to your httpd configuration the format of this log is "%h %l %u %t \"%r\" %>s %b". So "root" comes from the "%u" field. Let's look this up in Custom Log Formats (emphasis mine): "Remote user if the request was authenticated. May be bogus if return status (%s) is 401 (unauthorized).".
Do you understand what this means?
Beyond that, it looks as if you redacted the httpd configuration before posting it (or are you actually running httpd under a user account named "user"? ), and you also didn't include any of the includes, so it's impossible to say where said requests end up and where they get rejected or accepted.
Last edited by 3beb6e7c46a615a (2023-05-12 05:35:49)
Offline