You are not logged in.

Pages: 1

#1 2014-03-27 04:56:40

LeftyAce
Member
Registered: 2012-08-18
Posts: 159

[Solved] Strange entries in apache access_log

Hi all,

I recently setup up a small apache server. Listing is disabled, I just wanted people who I give a full file path to be able to download specific files. I'm keeping them in ~/public_html.

If I look at /var/log/httpd/access_log, I see some entries that make sense:

138.102.68.222 - - [25/Mar/2014:20:31:13 -0500] "GET /~lefty/pictures.zip HTTP/1.1" 200 201823247
138.102.68.222 - - [25/Mar/2014:20:32:51 -0500] "GET / HTTP/1.1" 403 983
141.123.267.82 - - [25/Mar/2014:20:37:03 -0500] "GET /~lefty/pictures.zip HTTP/1.1" 200 201823247

That's me testing downloading pictures.zip (success), testing just accessing the root folder (denied 403, as I had hoped), and my friend downloading pictures.zip.

Next in the log I see some entries that contain a bunch of gibberish and get rejected:

202.175.83.131 - - [25/Mar/2014:21:56:23 -0500] "HEAD / HTTP/1.0" 403 -
202.175.83.131 - - [25/Mar/2014:21:56:23 -0500] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:24 -0500] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:24 -0500] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:25 -0500] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:26 -0500] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
200.98.175.74 - - [25/Mar/2014:23:22:22 -0500] "HEAD / HTTP/1.0" 403 -
96.38.230.190 - - [26/Mar/2014:23:45:54 -0500] "\x80w\x01\x03\x01" 400 226
96.38.230.190 - - [26/Mar/2014:23:45:54 -0500] "GET /HNAP1/ HTTP/1.1" 404 1103

Should I be concerned? Also, it looks like the long strings were requesting a specific file and got 404 errors b/c it doesn't exist. What's with the short "\x80w" string that gets error 400?

Thanks,

Lefty

Last edited by LeftyAce (2014-03-29 23:24:25)

Offline

#2 2014-03-27 05:12:17

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,354

Re: [Solved] Strange entries in apache access_log

I am shocked, shocked to think someone is trying to hack you tongue

ewaller$@$odin ~ 1006 %whois 202.175.83.131
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '202.175.0.0 - 202.175.127.255'

inetnum:        202.175.0.0 - 202.175.127.255
netname:        CTM-MO
descr:          CTM
country:        MO
admin-c:        CN166-AP
tech-c:         CN166-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CTM-MO
mnt-routes:     MAINT-CTM-MO
mnt-irt:        IRT-CTM-MO
changed:        hm-changed@apnic.net 20040130
remarks:        combine all small allocation objects into a /17 object
remarks:        this object can only modify by APNIC Hostmaster
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20060224
changed:        hm-changed@apnic.net 20110701
source:         APNIC

irt:            IRT-CTM-MO
address:        Rua da Lagos, Telecentro
address:        P.O. Box 868
address:        Taipa
address:        Macau
e-mail:         noc@macau.ctm.net
abuse-mailbox:  noc@macau.ctm.net
admin-c:        JC1146-AP
tech-c:         HL13
auth:           # Filtered
mnt-by:         MAINT-CTM-MO
changed:        noc@macau.ctm.net 20101201
source:         APNIC

role:           CTM NOC
nic-hdl:        CN166-AP
address:        CTM - Internet Business Unit
address:        Rua da Lagos, Telecentro
address:        P.O. Box 868, Taipa
address:        Macau
country:        MO
phone:          +853 8912728
fax-no:         +853 8912933
e-mail:         noc@macau.ctm.net
admin-c:        JC1146-AP
tech-c:         HL13
notify:         losi@macau.ctm.net
changed:        losi@macau.ctm.net 20030530
mnt-by:         MAINT-CTM-MO
source:         APNIC

% Information related to '202.175.64.0/19AS4609'

route:          202.175.64.0/19
descr:          CTM Internet Services
descr:          Companhia de Telecomunicacoes de Macau S.A.R.L.
country:        MO
origin:         AS4609
remarks:        Route Object - 202.175.64.0/19
mnt-by:         MAINT-CTM-MO
changed:        angus@edu.ctm.net 20060223
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)


ewaller$@$odin ~ 1007 %

The other IP address was in Missouri in the USA.  That  one was benign, or at least unsophisticated. 
The Macau attack was a bit more interesting.  Have you enabled php?  If not, you are okay.  Expect this sort of stuff.  Also, expect to be fully probed by the web crawlers (Goggle, Yahoo, Duck Duck Go, and other wannabes)

Edit:  Actually, the attack from Missouri might be this

Last edited by ewaller (2014-03-27 05:17:09)

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2014-03-27 05:56:11

LeftyAce
Member
Registered: 2012-08-18
Posts: 159

Re: [Solved] Strange entries in apache access_log

Thanks for the reply ewaller. I take it some amount of attempted "hacking" is normal and nothing to worry about? Requesting strange filenames seems like an odd attack, but I know nothing about the subject :-P

I haven't knowingly enabled php, but it seems the basic file serving I'm trying to do only works if I have the php and php-apache packages installed. How can I check on this?

Offline

#4 2014-03-27 06:12:34

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,354

Re: [Solved] Strange entries in apache access_log

Hacking is expected and is a part of opening a public port.  I would not consider what the bastards do as "Normal"
It is definitely something to worry about.  Not enough to lose sleep over.  Watch your logs.

Last edited by ewaller (2014-03-27 06:13:14)

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2014-03-27 15:42:41

LeftyAce
Member
Registered: 2012-08-18
Posts: 159

Re: [Solved] Strange entries in apache access_log

Okey doke, I'll keep an eye on the access log and as long as strange requests get greeted by 404s I won't worry too much.

Offline

#6 2014-03-27 15:53:57

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,638
Website

Re: [Solved] Strange entries in apache access_log

I take it some amount of attempted "hacking" is normal

I'm afraid so.

In case you're curious, here's what the first bunch of attacks translates as: http://ddecode.com/hexdecoder/?results= … dbbcbaa6d2

Also, please mark your thread as solved.

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Pages: 1

Board footer

Powered by FluxBB