Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-31-2005, 01:14 PM
|
#1
|
|
Member
Registered: Jun 2002
Posts: 411
Rep: 
|
Possible Apache exploit / 404 NOT FOUND
Can anyone tell me how I would find out what someone was trying to run against my apache server?
On Thursday, I saw this entry from logwatch under 404 NOT FOUND In my http log, I grepped for "prx" and got this returned (ABSOLUTE PATH REDACTED):
Quote:
[client 218.4.80.59] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/
[client 61.140.251.67] script '/myappache_root_path/virtual_host/prx.php' not found or unable to stat, referer: http://www.google.com/intl/en-us/
|
I browsed to the URL identifed as: http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b:
and got the following display on my screen.
Code:
q1w2e3r4t5y6u7i8o9p0*a-b:
Accept=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding=gzip,deflate
Accept-Language=en-us,en;q=0.5
Connection=keep-alive
Host=umsky.com
Keep-Alive=300
User-Agent=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
HTTP_PROXY_CONNECTION:
HTTP_X_FORWARDED_FOR:
HTTP_VIA:
HTTP_MAX_FORWARDS:
REMOTE_ADDR=MY.PUBLIC.IP.ADDRESS (REDACTED ADDRESS)
REMOTE_HOST=
HTTP_PC_REMOTE_ADDR=
HTTP_X_FWD_IP_ADDR=
HTTP_CONNECTION=
VIA:
HTTP_FORWARDED:
FORWARDED:
HTTP_X_BLUECOAT_VIA:
HTTP_PROXY____:
HTTP_PROXY___________:
HTTP_X_HOST:
HTTP_X_REFERER:
HTTP_X_SERVER_HOSTNAME:
PROXY_HOST:
PROXY_PORT:
PROXY_REQUEST:
HTTP_CLIENT_IP:
HTTP_PRAGMA:
HTTP_CACHE_CONTROL:
super or gateway or noproxy
Level:1
代理级别=超级代理
超级代理1=超级代理
代理级别=超级代理q1w2e3r4t5y6u7i8o9p0*a-b:
Last edited by rioguia; 12-31-2005 at 01:16 PM.
|
|
|
|
|
12-31-2005, 03:13 PM
|
#2
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
It could be someone looking for a vulnerable php script - but since it's not on your server, it's probably not worth worrying about.
|
|
|
|
|
01-01-2006, 01:19 PM
|
#3
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
It's also possible that it's an automated search for unprotected proxy servers. Last night I got a web request in my logs from 218.71.245.2 trying to proxy a request to umsky.com:
Code:
218.71.245.2 - - [01/Jan/2006:17:29:19 +1000] "GET http://umsky.com/px.php?p=q1w2e3r4t5y6u7i8o9p0q&f=proxy&p=203.206.82.44:80&sv=0&r=44543 HTTP/1.1" 403 208 "http://umsky.com/ref.php?r=58491" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
It says that umsky.com is the referer - the only reason I know of for trying to display your own web site through someone else's proxy is to prepare for doing something anonymous. Maybe they value their privacy so much in China, they'd rather surf through my web server 
Here's the output from http://www.apnic.net/apnic-bin/whois.pl for 218.71.245.2:
Code:
inetnum: 218.71.192.0 - 218.71.255.255
netname: CHINANET-ZJ-NB
country: CN
descr: CHINANET-ZJ Ningbo node network
descr: Zhejiang Telecom
admin-c: CZ4-AP
tech-c: CN13-AP
status: ALLOCATED NON-PORTABLE
changed: auto-dbm@dcb.hz.zj.cn 20050429
mnt-by: MAINT-CHINANET-ZJ
mnt-lower: MAINT-CN-CHINANET-ZJ-NB
source: APNIC
umsky.com resolves to 202.101.165.136 and here's the output from apnic for them:
Code:
inetnum: 202.101.165.128 - 202.101.165.191
netname: ZHEJIANG-INFO-CENTER
country: CN
descr: ZHEJIANG PUBLIC INFORMATION CENTER
descr: NULL
admin-c: HZ224-AP
tech-c: CH122-AP
status: ASSIGNED NON-PORTABLE
changed: auto-dbm@dcb.hz.zj.cn 20040611
mnt-by: MAINT-CN-CHINANET-ZJ-HZ
source: APNIC
|
|
|
|
|
01-03-2006, 01:16 PM
|
#4
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
It's also possible that it's an automated search for unprotected proxy servers.
Yes, it is script for testing proxies and it's not that good.
|
|
|
|
|
01-03-2006, 02:13 PM
|
#5
|
|
Member
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155
Rep:
|
You can run Snort and take a look at the alert logs. The logs show the expoit and offending IP address. I move them to my blacklist on the firewall.
|
|
|
|
All times are GMT -5. The time now is 03:38 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
