LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-07-2015, 12:15 PM   #1
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,055

Rep: Reputation: 78
suspicious entries in apache log


I have been obsessively monitoring my apache log lately and have encountered two issues which worry me. Any information you folks might provide would be most appreciated.

Issue 1: unrecognized users in apache log
I recently looked at my webalizer stats and saw some unrecognized usernames in one section:
Code:
Top 4 of 4 Total Usernames
# 	Hits 	Files 	kB F 	kB In 	kB Out 	Visits 	Username
1 	584 	0.00% 	580 	0.00% 	70350 	0.05% 	0 	0.00% 	0 	0.00% 	20 	0.00% 	my-apache-auth-username
2 	79 	0.00% 	79 	0.00% 	1878 	0.00% 	0 	0.00% 	0 	0.00% 	18 	0.00% 	some-other-user-i-recognize
3 	3 	0.00% 	3 	0.00% 	33 	0.00% 	0 	0.00% 	0 	0.00% 	1 	0.00% 	admin
4 	1 	0.00% 	1 	0.00% 	12 	0.00% 	0 	0.00% 	0 	0.00% 	1 	0.00% 	Saf
If I'm not mistaken, these usernames are folks who have authenticated via apache authentication. If that is the case, I'm shocked to see admin and Saf as these are users I do not recognize.

I searched the apache log file and found the one request by user Saf. I've modified the requested file path to protect my server's anonymity:
Code:
196.201.218.201 - Saf [18/Nov/2015:18:31:17 +0000] "GET /path/to/some/valid/file.html HTTP/1.1" 200 11926 "http://www.google.com/search?q=telesales+job+description+examples&revid=1469034202&sa=X&ved=0CAYQ1QJqFQoTCJfK1djLmskCFcVVFAodjmQKog" "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/20.0.005; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.3"
I would point out that the requested file path does not require authentication for viewing.

I also searched for the 3 requests by user admin. These paths also do not require authentication:
Code:
71.210.10.114 - admin [02/Nov/2015:08:19:06 +0000] "GET /some/file/path1.html HTTP/1.1" 200 8440 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
71.210.10.114 - admin [02/Nov/2015:08:19:08 +0000] "GET /some/file/path1.html HTTP/1.1" 200 8240 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
71.210.10.114 - admin [02/Nov/2015:08:20:04 +0000] "GET /some/file/path2.html HTTP/1.1" 200 16969 "http://www.myplan.com/some/file/path1.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
Issue 2: LOTS of "internal dummy connnection" with PHP as user agent
My apache log has about 1.2M of these requests this month:
Code:
::1 - - [08/Nov/2015:10:11:14 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 OpenSSL/1.0.1f (internal dummy connection)"
I found an article -- which I'm not sure is reputable (it's in a wiki) that says one should not worry about these connections but I a) don't really understand why this happens and b) would like to exclude these requests (if they are not harmful) from my apache log as they don't really constitute visitor traffic. The solution in the article I linked would exclude ALL loopback requests from the apache log and I'm not really sure I want to do that. If my server gets compromised and starts querying itself, I'd like to see that in the apache logs.

Can anyone comment/suggest on this? Is it benign? If so, how to exclude just these requests from the apache log while still logging requests from 127.0.0.1?
 
Old 12-07-2015, 06:21 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
Looks like apache restarting ("internal dummy connection") but it logs only IPv6 for localhost for the events?
Drove me batty, for a minute.

Search engine (sorry)
Code:
env=dontlog
No "Quotes" for hints/tip/clues.
I never could get a working !env=dontlog environment in my site.conf

Saf and admin - I wouldn't want to see those.

Subscribed with interest...

Last edited by Habitual; 12-07-2015 at 06:23 PM.
 
Old 12-07-2015, 07:01 PM   #3
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,055

Original Poster
Rep: Reputation: 78
Quote:
Originally Posted by Habitual View Post
Looks like apache restarting ("internal dummy connection") but it logs only IPv6 for localhost for the events?
Restarting? I certainly hope not. This entry appears 1.2M times in the apache log for a single month.

Quote:
Originally Posted by Habitual View Post
Search engine (sorry)
Code:
env=dontlog
No "Quotes" for hints/tip/clues.
I never could get a working !env=dontlog environment in my site.conf
I don't know what you are saying here? The second link in my OP offered this:
Quote:
If you wish to exclude them from your log, you can use normal conditional-logging techniques. For example, to omit all requests from the loopback interface from your logs, you can use
Code:
SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
and then add env=!loopback to the end of your CustomLog directive.
However, I don't want to exclude all requests sent from localhost from the apache log. I'm not entirely sure what is being suggested by the apache wiki. I'm guessing SetEnvIf would go into my apache conf file somewhere but I can't really think of any combination of the following that would work:
* Remote_Host
* Remote_Addr
* Server_Addr
* Request_Method
* Request_Protocol
* Request_URI

Quote:
Originally Posted by Habitual View Post
Saf and admin - I wouldn't want to see those.
Noooo! Could you elaborate on why this is bad? I'm not familiar with the particulars of apache access logs. I do know this appears to be the LogFormat directive that's in effect:
Code:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
Note that out of 59,717,861 lines in my access log, only 4 of them refer to these other usernames. The apache docs, in describing a typical log entry say:
Quote:
This is the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this part will be "-" just like the previous one.
Now in my case the status code is 200, however the requested file in particular does not require authentication for anyone to view it.

I'm also wondering how on earth one might have authenticated as either user. Neither exists in the one htpasswd file that I have created. I just checked my apache conf directory with a grep search and have only defined one single .htpasswd file and this one htpasswd file does not contain either an admin user or a Saf user. I'm baffled by these entries in my access log.

I'm wondering if some hacker type might have just formulated some tricky request to try and trick my server into thinking they were some particular user, but I haven't the slightest idea how to reproduce this trick.
 
Old 12-07-2015, 07:22 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
Searching the 'net for
Code:
env=dontlog
should lead to an article that outlines the mechanism
Code:
SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
You can call it anything that you fancy, dontlog or loopback, the mechanism is the same.
which says if the "remote address is 127.0.0.1"...then using and add env=!loopback (or env=!dontlog) to the end of your CustomLog directive.

In this scenario, something like
Code:
SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
...
CustomLog /var/log/apache2/access.log combined env=!loopback
internal dummy connection seems to mean "When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections" and that's what I took for apache restarting.

But It's not clear if your apache log is writing IPv4 also. You only showed a localhost IPv6 entry. "::1"
You may have to try
Code:
SetEnvIf Remote_Addr "\:\:1" loopback
if it's not logging IPv4 entries.

https://wiki.apache.org/ is authoritative.

Last edited by Habitual; 12-07-2015 at 08:15 PM. Reason: is writing IPv4/is not writing IPv4
 
Old 12-08-2015, 12:28 PM   #5
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,055

Original Poster
Rep: Reputation: 78
Thanks for the clarifying details.

What about my other question? Can you elaborate on why it's bad that I see users Saf and admin in my access log despite the fact that I've never defined any such users in any htpasswd file? As I said in my last post:

Quote:
Originally Posted by sneakyimp
Could you elaborate on why this is bad? I'm not familiar with the particulars of apache access logs. I do know this appears to be the LogFormat directive that's in effect:
Code:
LogFormat "h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
Note that out of 59,717,861 lines in my access log, only 4 of them refer to these other usernames. The apache docs, in describing a typical log entry say:
Quote:
This is the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this part will be "-" just like the previous one.
Now in my case the status code is 200, however the requested file in particular does not require authentication for anyone to view it.

I'm also wondering how on earth one might have authenticated as either user. Neither exists in the one htpasswd file that I have created. I just checked my apache conf directory with a grep search and have only defined one single .htpasswd file and this one htpasswd file does not contain either an admin user or a Saf user. I'm baffled by these entries in my access log.

I'm wondering if some hacker type might have just formulated some tricky request to try and trick my server into thinking they were some particular user, but I haven't the slightest idea how to reproduce this trick.
 
Old 12-08-2015, 01:45 PM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp View Post
Thanks for the clarifying details.

What about my other question? Can you elaborate on why it's bad that I see users Saf and admin in my access log despite the fact that I've never defined any such users in any htpasswd file? As I said in my last post:
I cannot speak to that, as I have no information about it.
It just looks "odd" and anything "odd" is immediately suspect in my book.

Sorry, wish I had more.
PAM service maybe? Just a guess.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange log entries in apache log under debian... hacking tentative ? strelok Linux - Security 4 11-11-2009 07:55 AM
Suspicious Apache AccessLog Entries rcrosoer Linux - Security 11 12-12-2008 03:52 PM
Apache Log - entries order kirtimaan_bkn Linux - Networking 1 01-04-2007 04:35 PM
Suspicious looking Apache log entries linuxpyro Linux - Security 4 04-25-2004 03:54 PM
apache error log entries synaptical Linux - Security 3 01-26-2004 02:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration