Re: F19: Is this an httpd attack attempt?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/5/2014 09:41, Tim wrote:

Allegedly, on or about 05 March 2014, lee sent:

Could someone please explain why/how this may be considered as an
attack or at least as something bad?

Have a look at the log line that the original poster sent:

185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-"

look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^

That "200" means a successful result, rather than a failure.  In other
words, what they tried to do, they did.
I've been following this discussion and decided to do some digging myself because I run several web servers and security is important to me. I want to share what I've found to hopefully help determine what is happening here and ensure all of us are adequately protected. Since I have two Linux web servers at my disposal, I used one as the proxy host and one as the target host so I could examine the logs of both servers and see what really happened.
The first thing I needed to do is replicate the attempt. After poking around a bit, I came across the following example that anyone can use to simulate this "attack": 

curl -x proxyhostdomainname:80 http://targethostdomainname
Executing this command makes a request to the proxyhostdomainname server and asks it to fetch the page at the targethostdomainname server. After executing this command, I got the following output in the apache server access log on the proxyhostdomainname server:
XXX.XXX.XXX.XXX - - [05/Mar/2014:09:29:31 -0600] "GET http://targethostdomainname HTTP/1.1" 200 199
The address XXX.XXX.XXX.XXX corresponds to the third Linux system I was using to simulate the attack. I also noted that the HTML source of the default page hosted at proxyhostdomainname was displayed in my terminal screen as a result of the curl command.
Now that I had successfully simulated the attack signature in the log file of the proxy web server, I logged into the target web server and looked at its access log. Thankfully I found no log of any activity from my XXX.XXX.XXX.XXX workstation IP. Not wanting to leave any stone unturned, I did a "tail -f" on the log file of the target web server and performed the same test again. I got the same results. 


Tom
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux