Possible Apache exploit / 404 NOT FOUND

rioguia · 12-31-2005, 01:14 PM

Can anyone tell me how I would find out what someone was trying to run against my apache server?

On Thursday, I saw this entry from logwatch under 404 NOT FOUND

Quote:

http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b: 1 Time(s)

In my http log, I grepped for "prx" and got this returned (ABSOLUTE PATH REDACTED):

Quote:

[client 218.4.80.59] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/
[client 61.140.251.67] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/intl/en-us/

I browsed to the URL identifed as:http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b:
and got the following display on my screen.

Code:

q1w2e3r4t5y6u7i8o9p0*a-b:
Accept=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding=gzip,deflate
Accept-Language=en-us,en;q=0.5
Connection=keep-alive
Host=umsky.com
Keep-Alive=300
User-Agent=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
HTTP_PROXY_CONNECTION:
HTTP_X_FORWARDED_FOR:
HTTP_VIA:
HTTP_MAX_FORWARDS:
REMOTE_ADDR=MY.PUBLIC.IP.ADDRESS (REDACTED ADDRESS)
REMOTE_HOST=
HTTP_PC_REMOTE_ADDR=
HTTP_X_FWD_IP_ADDR=
HTTP_CONNECTION=
VIA:
HTTP_FORWARDED:
FORWARDED:
HTTP_X_BLUECOAT_VIA:
HTTP_PROXY____:
HTTP_PROXY___________:
HTTP_X_HOST:
HTTP_X_REFERER:
HTTP_X_SERVER_HOSTNAME:
PROXY_HOST:
PROXY_PORT:
PROXY_REQUEST:
HTTP_CLIENT_IP:
HTTP_PRAGMA:
HTTP_CACHE_CONTROL:
super or gateway or noproxy
Level:1
´úÀí¼¶±ð=³¬¼¶´úÀí
³¬¼¶´úÀí1=³¬¼¶´úÀí
´úÀí¼¶±ð=³¬¼¶´úÀíq1w2e3r4t5y6u7i8o9p0*a-b:

gilead · 12-31-2005, 03:13 PM

It could be someone looking for a vulnerable php script - but since it's not on your server, it's probably not worth worrying about.

gilead · 01-01-2006, 01:19 PM

It's also possible that it's an automated search for unprotected proxy servers. Last night I got a web request in my logs from 218.71.245.2 trying to proxy a request to umsky.com:

Code:

218.71.245.2 - - [01/Jan/2006:17:29:19 +1000] "GET http://umsky.com/px.php?p=q1w2e3r4t5y6u7i8o9p0q&f=proxy&p=203.206.82.44:80&sv=0&r=44543 HTTP/1.1" 403 208 "http://umsky.com/ref.php?r=58491" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It says that umsky.com is the referer - the only reason I know of for trying to display your own web site through someone else's proxy is to prepare for doing something anonymous. Maybe they value their privacy so much in China, they'd rather surf through my web server

Here's the output from http://www.apnic.net/apnic-bin/whois.pl for 218.71.245.2:

Code:

inetnum:      218.71.192.0 - 218.71.255.255
netname:      CHINANET-ZJ-NB
country:      CN
descr:        CHINANET-ZJ Ningbo node network
descr:        Zhejiang Telecom
admin-c:      CZ4-AP
tech-c:       CN13-AP
status:       ALLOCATED NON-PORTABLE
changed:      auto-dbm@dcb.hz.zj.cn 20050429
mnt-by:       MAINT-CHINANET-ZJ
mnt-lower:    MAINT-CN-CHINANET-ZJ-NB
source:       APNIC

umsky.com resolves to 202.101.165.136 and here's the output from apnic for them:

Code:

inetnum:      202.101.165.128 - 202.101.165.191
netname:      ZHEJIANG-INFO-CENTER
country:      CN
descr:        ZHEJIANG PUBLIC INFORMATION CENTER
descr:        NULL
admin-c:      HZ224-AP
tech-c:       CH122-AP
status:       ASSIGNED NON-PORTABLE
changed:      auto-dbm@dcb.hz.zj.cn 20040611
mnt-by:       MAINT-CN-CHINANET-ZJ-HZ
source:       APNIC

unSpawn · 01-03-2006, 01:16 PM

It's also possible that it's an automated search for unprotected proxy servers.
Yes, it is script for testing proxies and it's not that good.

lucktsm · 01-03-2006, 02:13 PM

You can run Snort and take a look at the alert logs. The logs show the expoit and offending IP address. I move them to my blacklist on the firewall.

UK MAdMaN · 01-03-2006, 03:07 PM

Report it to postmaster@dcb.hz.zj.cn, and possibly also anti-spam@mail.tzptt.zj.cn, anti-spam@ns.chinanet.cn.net and antispam@dcb.hz.zj.cn (I know it wasn't spam, but those are the addresses registered on Abuse.net).