Apache logwatch errors

userlander · 11-09-2008, 12:51 PM

I keep getting errors like this in my Apache logs:

Code:

Requests with error response codes
    403 Forbidden
       http://scifi.pages.at/myproxies/azenv.php: 12 Time(s)
       http://www.eduisland.com/prx1.php: 1 Time(s)  

    404 Not Found  
       http://sevy.eu.org/azenv.php: 2 Time(s)
       http://www.digconsys.com/testdir/env.cgi: 1 Time(s)
       http://www.nassc.com/pr.php: 4 Time(s)                     
                                                                                     
    405 Method Not Allowed  
       www.google.com:443: 5 Time(s)
                                                    
 Connection attempts using mod_proxy:                                  
    222.208.183.218 -> www.google.com:443: 5 Time(s)

So I don't get it -- what does it mean that people are trying to access these external websites through my server? How would that even be done to make it show up in the logs like that?

anomie · 11-10-2008, 10:19 AM

If I had to make a WAG, you're providing http proxy services (via mod_proxy) to nasty people on the Net.

huzbo89 · 11-11-2008, 12:47 AM

I've had a similar issue with my home server. It's running Apache/2.2.9 over Fedora 8. Firestarter is managing the firewall.

I thought that by leaving the Proxy Server directives in my httpd.conf file commented out, I'd be safe from this type of attack. I also thought that since my logs showed a 404 response to the unwanted requests, that Apache was rejecting them without problems.

Then I got a pair of CONNECT requests to Google on port 443 that received a 200 response. And one of the attackers asking for azenv.php has been *very* persistent.

So I got worried. I've commented out the LoadModule lines in httpd.conf for the mod_proxy modules, renamed my conf.d/proxy_ajp.conf file so it doesn't load, and run apachectl -k restart.

I'm still getting requests (from the same IP address) for azenv.php, to which Apache responds with a 404.

Q: --> Should I still be worried? Could I be running a proxy server despite my precautions? And did I make matters *worse* by disabling mod_proxy?

I've RTFM 'til my eyes are bugging out. But it's a lot to absorb. I have no idea why this is fun (but it is :-) )

Thanks in advance to anyone who responds.

userlander · 11-11-2008, 07:56 AM

Quote:

Originally Posted by anomie

If I had to make a WAG, you're providing http proxy services (via mod_proxy) to nasty people on the Net.

That's kind of what it looked like to me, but to my knowledge I don't have any mod proxy module running. There's nothing that says proxy in mods-enabled, and I moved all files with a reference to proxy out of mods-available, as well as moving anything with a reference to mod_proxy out of /usr/lib/apache2/modules.

I also tried adding the proxy directive listed on the mod_proxy page, but I can't figure out where to add it.

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>

I tried putting it in apache2.conf, httpd.conf, sites-available/default, and sites-enabled/000-default, but apache fails to start with an error message about it each time. Is there any way to test to see if my server can be used as a proxy?

huzbo89, thanks for the post. I hope with more exposure here we can get this issue resolved.

anomie · 11-11-2008, 02:33 PM

I'm not super familiar with mod_proxy, but I'd think this would be as simple as commenting out or removing any of the following from httpd.conf:

Code:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so

(Additionally, you'll need to comment out or remove directives that utilize mod_proxy.)

All this is assuming you don't want to be providing proxy services...

anomie · 11-11-2008, 02:40 PM

P.S. After making that change and restarting httpd, if you're still having this problem post the output of:
# httpd -M

huzbo89 · 11-12-2008, 06:02 AM

After making those changes, I'm still getting lines in my access_log like:

Code:

221.xxx.xxx.xx - - [12/Nov/2008:06:23:31 -0500] "GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1" 404 13 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

My output for httpd -M is:

Code:

Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 ldap_module (shared)
 authnz_ldap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 ext_filter_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 speling_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 cache_module (shared)
 suexec_module (shared)
 disk_cache_module (shared)
 file_cache_module (shared)
 mem_cache_module (shared)
 cgi_module (shared)
 perl_module (shared)
 php5_module (shared)
 python_module (shared)
 ssl_module (shared)
Syntax OK

Should I still be worried?

Thanks

userlander · 11-12-2008, 09:48 AM

I can find no mod_proxy modules listed anywhere in any apache2 config file, the modules themselves have
been moved out of the /usr/lib modules directory, and httpd (apache2ctl -M) in this case does not show
any proxy modules loaded:

Code:

# apache2ctl -M
[Wed Nov 12 10:42:39 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)
 userdir_module (shared)
Syntax OK

Today I got the http://scifi.pages.at/myproxies/azenv.php, but it's still showing up as "Forbidden," while
the others are 404, so without more evidence that the box is actually being used as a proxy successfully,
I'm not going to worry about it anymore. The most attempts I've seen are like around 10 anyway, so it's
not a big deal from this end even if it is being proxied (which I see no evidence of).

thanks anomie.

anomie · 11-12-2008, 12:53 PM

I just realized there were two people replying to this thread. (@huzbo89: the polite thing is generally to start a new thread, referencing the original.)

For grins, I tried to recreate the behavior you are seeing. I set an Apache 2.2 server as my client browser's proxy server (mod_proxy is not enabled on this server). Then I tried to cruise to a few different websites, and saw similar 404 entries in my access_log, just as you two are. As far as I can tell, when Apache is not operating as a proxy server (and someone tries to use it as one), it simply truncates the host information and tries to serve up everything following the slash (/).

Short answer is: You've both confirmed that mod_proxy is not being loaded by your configuration. AFAIK, given the precautions you've taken you can safely ignore these particular 403 / 404 errors.

huzbo89 · 11-12-2008, 01:14 PM

Oops!! My apologies for the breach of protocol.

Thank you very much for your help.

userlander · 11-12-2008, 03:33 PM

Thanks anomie! Appreciate the testing and the confirmation.