You are not logged in.

#1 2023-05-11 10:29:29

furger
Member
Registered: 2023-05-11
Posts: 2

Weird apache POST logs request is running as root

I have doubts about the security of the current version of apache
I started the apache + php74 server and after a while some scanner did this:

45.95.169.240 - root [11/May/2023:11:58:18 +0300] "GET / HTTP/1.1" 200 13671
45.95.169.240 - root [11/May/2023:11:58:31 +0300] "POST /dvr/cmd HTTP/1.1" 403 -
45.95.169.240 - root [11/May/2023:11:58:43 +0300] "POST /cn/cmd HTTP/1.1" 403 -

Here you can see that the request was made as root, although I run the server as a regular user. Soatl requests look like this:

127.0.0.1 - - [11/May/2023:12:49:35 +0300] "POST / HTTP/1.1" 403 -

I searched on the Internet and did not find anything about this, in the entire history of accessing the server from the outside there were no more such cases.
My httpd.conf: https://hastebin.com/share/iwefecuqez.bash

Offline

#2 2023-05-11 12:08:47

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 1,958
Website

Re: Weird apache POST logs request is running as root

# id user

Offline

#3 2023-05-11 15:19:25

furger
Member
Registered: 2023-05-11
Posts: 2

Re: Weird apache POST logs request is running as root

schard wrote:
# id user

And? Answer on a normal explain why "- root" and not "- -"

Last edited by furger (2023-05-11 15:19:46)

Offline

#4 2023-05-11 15:34:24

seth
Member
Registered: 2012-09-03
Posts: 50,799

Re: Weird apache POST logs request is running as root

Not sure what your gibberish is meant to say, but I'm pretty sure shard was interested in the output because of

User user
Group user

Offline

#5 2023-05-12 05:31:46

3beb6e7c46a615a
Member
Registered: 2021-03-27
Posts: 165

Re: Weird apache POST logs request is running as root

Before you start to panic please understand what you actually see there.   According to your httpd configuration the format of this log is  "%h %l %u %t \"%r\" %>s %b".  So "root" comes from the "%u" field. Let's look this up in Custom Log Formats (emphasis mine):  "Remote user if the request was authenticated. May be bogus if return status (%s) is 401 (unauthorized).".

Do you understand what this means?

Beyond that, it looks as if you redacted the httpd configuration before posting it (or are you actually running httpd under a user account named "user"? ), and you also didn't include any of the includes, so it's impossible to say where said requests end up and where they get rejected or accepted.

Last edited by 3beb6e7c46a615a (2023-05-12 05:35:49)

Offline

Board footer

Powered by FluxBB