LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-31-2005, 01:14 PM   #1
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Rep: Reputation: 30
Possible Apache exploit / 404 NOT FOUND


Can anyone tell me how I would find out what someone was trying to run against my apache server?

On Thursday, I saw this entry from logwatch under 404 NOT FOUNDIn my http log, I grepped for "prx" and got this returned (ABSOLUTE PATH REDACTED):
Quote:
[client 218.4.80.59] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/
[client 61.140.251.67] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/intl/en-us/
I browsed to the URL identifed as:http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b:
and got the following display on my screen.
Code:
q1w2e3r4t5y6u7i8o9p0*a-b:
Accept=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding=gzip,deflate
Accept-Language=en-us,en;q=0.5
Connection=keep-alive
Host=umsky.com
Keep-Alive=300
User-Agent=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
HTTP_PROXY_CONNECTION:
HTTP_X_FORWARDED_FOR:
HTTP_VIA:
HTTP_MAX_FORWARDS:
REMOTE_ADDR=MY.PUBLIC.IP.ADDRESS (REDACTED ADDRESS)
REMOTE_HOST=
HTTP_PC_REMOTE_ADDR=
HTTP_X_FWD_IP_ADDR=
HTTP_CONNECTION=
VIA:
HTTP_FORWARDED:
FORWARDED:
HTTP_X_BLUECOAT_VIA:
HTTP_PROXY____:
HTTP_PROXY___________:
HTTP_X_HOST:
HTTP_X_REFERER:
HTTP_X_SERVER_HOSTNAME:
PROXY_HOST:
PROXY_PORT:
PROXY_REQUEST:
HTTP_CLIENT_IP:
HTTP_PRAGMA:
HTTP_CACHE_CONTROL:
super or gateway or noproxy
Level:1
代理级别=超级代理
超级代理1=超级代理
代理级别=超级代理q1w2e3r4t5y6u7i8o9p0*a-b:

Last edited by rioguia; 12-31-2005 at 01:16 PM.
 
Old 12-31-2005, 03:13 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
It could be someone looking for a vulnerable php script - but since it's not on your server, it's probably not worth worrying about.
 
Old 01-01-2006, 01:19 PM   #3
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
It's also possible that it's an automated search for unprotected proxy servers. Last night I got a web request in my logs from 218.71.245.2 trying to proxy a request to umsky.com:

Code:
218.71.245.2 - - [01/Jan/2006:17:29:19 +1000] "GET http://umsky.com/px.php?p=q1w2e3r4t5y6u7i8o9p0q&f=proxy&p=203.206.82.44:80&sv=0&r=44543 HTTP/1.1" 403 208 "http://umsky.com/ref.php?r=58491" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
It says that umsky.com is the referer - the only reason I know of for trying to display your own web site through someone else's proxy is to prepare for doing something anonymous. Maybe they value their privacy so much in China, they'd rather surf through my web server

Here's the output from http://www.apnic.net/apnic-bin/whois.pl for 218.71.245.2:
Code:
inetnum:      218.71.192.0 - 218.71.255.255
netname:      CHINANET-ZJ-NB
country:      CN
descr:        CHINANET-ZJ Ningbo node network
descr:        Zhejiang Telecom
admin-c:      CZ4-AP
tech-c:       CN13-AP
status:       ALLOCATED NON-PORTABLE
changed:      auto-dbm@dcb.hz.zj.cn 20050429
mnt-by:       MAINT-CHINANET-ZJ
mnt-lower:    MAINT-CN-CHINANET-ZJ-NB
source:       APNIC
umsky.com resolves to 202.101.165.136 and here's the output from apnic for them:

Code:
inetnum:      202.101.165.128 - 202.101.165.191
netname:      ZHEJIANG-INFO-CENTER
country:      CN
descr:        ZHEJIANG PUBLIC INFORMATION CENTER
descr:        NULL
admin-c:      HZ224-AP
tech-c:       CH122-AP
status:       ASSIGNED NON-PORTABLE
changed:      auto-dbm@dcb.hz.zj.cn 20040611
mnt-by:       MAINT-CN-CHINANET-ZJ-HZ
source:       APNIC
 
Old 01-03-2006, 01:16 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
It's also possible that it's an automated search for unprotected proxy servers.
Yes, it is script for testing proxies and it's not that good.
 
Old 01-03-2006, 02:13 PM   #5
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Rep: Reputation: 30
You can run Snort and take a look at the alert logs. The logs show the expoit and offending IP address. I move them to my blacklist on the firewall.
 
Old 01-03-2006, 03:07 PM   #6
UK MAdMaN
Member
 
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211

Rep: Reputation: 30
Report it to postmaster@dcb.hz.zj.cn, and possibly also anti-spam@mail.tzptt.zj.cn, anti-spam@ns.chinanet.cn.net and antispam@dcb.hz.zj.cn (I know it wasn't spam, but those are the addresses registered on Abuse.net).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unwanted 404 error with apache Vossy Linux - Software 0 12-26-2005 08:31 PM
why is apache giving me a 404 error linuxmandrake Linux - Software 4 06-17-2005 09:16 AM
odd Apache 404 error Seventh Linux - Software 1 03-27-2005 03:43 AM
404 page not found Darthomir General 2 03-30-2004 09:29 PM
Apache custom 404 documents Punker51 Linux - Software 2 12-06-2003 03:23 PM


All times are GMT -5. The time now is 05:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration