LinuxQuestions.org - Possible Apache exploit / 404 NOT FOUND

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Possible Apache exploit / 404 NOT FOUND (https://www.linuxquestions.org/questions/linux-security-4/possible-apache-exploit-404-not-found-398184/)

Possible Apache exploit / 404 NOT FOUND

Can anyone tell me how I would find out what someone was trying to run against my apache server?

On Thursday, I saw this entry from logwatch under 404 NOT FOUND

Quote:

http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b: 1 Time(s)

In my http log, I grepped for "prx" and got this returned (ABSOLUTE PATH REDACTED):

Quote:

[client 218.4.80.59] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/
[client 61.140.251.67] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/intl/en-us/

I browsed to the URL identifed as:http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b:
and got the following display on my screen.

Code:

q1w2e3r4t5y6u7i8o9p0*a-b:

Accept=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7

Accept-Encoding=gzip,deflate

Accept-Language=en-us,en;q=0.5

Connection=keep-alive

Host=umsky.com

Keep-Alive=300

User-Agent=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

HTTP_PROXY_CONNECTION:

HTTP_X_FORWARDED_FOR:

HTTP_VIA:

HTTP_MAX_FORWARDS:

REMOTE_ADDR=MY.PUBLIC.IP.ADDRESS (REDACTED ADDRESS)

REMOTE_HOST=

HTTP_PC_REMOTE_ADDR=

HTTP_X_FWD_IP_ADDR=

HTTP_CONNECTION=

VIA:

HTTP_FORWARDED:

FORWARDED:

HTTP_X_BLUECOAT_VIA:

HTTP_PROXY____:

HTTP_PROXY___________:

HTTP_X_HOST:

HTTP_X_REFERER:

HTTP_X_SERVER_HOSTNAME:

PROXY_HOST:

PROXY_PORT:

PROXY_REQUEST:

HTTP_CLIENT_IP:

HTTP_PRAGMA:

HTTP_CACHE_CONTROL:

super or gateway or noproxy

Level:1

´úÀí¼¶±ð=³¬¼¶´úÀí

³¬¼¶´úÀí1=³¬¼¶´úÀí

´úÀí¼¶±ð=³¬¼¶´úÀíq1w2e3r4t5y6u7i8o9p0*a-b:

It could be someone looking for a vulnerable php script - but since it's not on your server, it's probably not worth worrying about.

It's also possible that it's an automated search for unprotected proxy servers. Last night I got a web request in my logs from 218.71.245.2 trying to proxy a request to umsky.com:

Code:

218.71.245.2 - - [01/Jan/2006:17:29:19 +1000] "GET http://umsky.com/px.php?p=q1w2e3r4t5y6u7i8o9p0q&f=proxy&p=203.206.82.44:80&sv=0&r=44543 HTTP/1.1" 403 208 "http://umsky.com/ref.php?r=58491" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It says that umsky.com is the referer - the only reason I know of for trying to display your own web site through someone else's proxy is to prepare for doing something anonymous. Maybe they value their privacy so much in China, they'd rather surf through my web server ;)

Here's the output from http://www.apnic.net/apnic-bin/whois.pl for 218.71.245.2:

Code:

inetnum:      218.71.192.0 - 218.71.255.255

netname:      CHINANET-ZJ-NB

country:      CN

descr:        CHINANET-ZJ Ningbo node network

descr:        Zhejiang Telecom

admin-c:      CZ4-AP

tech-c:      CN13-AP

status:      ALLOCATED NON-PORTABLE

changed:      auto-dbm@dcb.hz.zj.cn 20050429

mnt-by:      MAINT-CHINANET-ZJ

mnt-lower:    MAINT-CN-CHINANET-ZJ-NB

source:      APNIC

umsky.com resolves to 202.101.165.136 and here's the output from apnic for them:

Code:

inetnum:      202.101.165.128 - 202.101.165.191

netname:      ZHEJIANG-INFO-CENTER

country:      CN

descr:        ZHEJIANG PUBLIC INFORMATION CENTER

descr:        NULL

admin-c:      HZ224-AP

tech-c:      CH122-AP

status:      ASSIGNED NON-PORTABLE

changed:      auto-dbm@dcb.hz.zj.cn 20040611

mnt-by:      MAINT-CN-CHINANET-ZJ-HZ

source:      APNIC

It's also possible that it's an automated search for unprotected proxy servers.
Yes, it is script for testing proxies and it's not that good.

You can run Snort and take a look at the alert logs. The logs show the expoit and offending IP address. I move them to my blacklist on the firewall.

Report it to postmaster@dcb.hz.zj.cn, and possibly also anti-spam@mail.tzptt.zj.cn, anti-spam@ns.chinanet.cn.net and antispam@dcb.hz.zj.cn (I know it wasn't spam, but those are the addresses registered on Abuse.net).