logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Error Log - Attacks
Author
MLxS



Joined: 14 May 2007
Posts: 6

PostPosted: Mon 03 Oct '11 16:56    Post subject: Error Log - Attacks Reply with quote

I apologise if this has been asked elsewhere - but I am actually struggling to search for this.

I have been reviewing the logs and have increasingly noticed two malformed requests. Examples are below (though obviously the actual requests change).

1) 58.218.199.227 - - [03/Oct/2011:12:52:00 +0100] "GET http://microsoft.com/feed/feed.php HTTP/1.1" 404 1179

2) 195.238.85.136 - - [03/Oct/2011:14:38:48 +0100] "CRi\xe4\xaf\xa9\x05\x88\xa9@w" 501 213

(I have altered the host in number 1 in case it was a malicious link)

Questions
A) Since these are all (as far as I can see) returning a 404 or 501 respectively, do I need to worry

B) I understand number 1 is attempting to test for open proxies, but what is number 2 trying to do?? I know it is hex, but I don't understand it.....

C) Is there a way to 'reject' these requests safely rather than have them fill the logs and possibly get through?

Any help appreciated.

Many Thanks!
Back to top
MichaelG72



Joined: 03 Oct 2011
Posts: 4
Location: Price, Utah

PostPosted: Tue 04 Oct '11 0:31    Post subject: Need more info. Reply with quote

1. How often or separated are the requests coming in?
2. It dose look like a malformed URL scripting attack to me.
3. Have you gotten any DOS's yet do to many of these requests like you described?

With answers to these questions would be able to narrow it down. In any case if the requesting party isn't critical ip for operations then just block that ip or domain in your firewall.
Back to top
MLxS



Joined: 14 May 2007
Posts: 6

PostPosted: Tue 04 Oct '11 2:19    Post subject: Reply with quote

Michael,

Thanks for getting back to me so promptly.

During 3 October I received 13 of the "GET http://" requests spread fairly evenly through the day. Although the IPs do seem to vary quite a lot they all start 58.218.*.* (Generic IPs from China Telecom).

I received 7 of the hex malformed requests clustered around a couple of hours. Each IP is only seen maybe once or twice.

I know the number makes it fairly insignificant - but only if they are failing. I wonder whether there is any more protection I need to add against the scripting attacks actually working?

Thankfully I haven't noted and DOS's yet - and since I do not host well known websites I will probably evade enough attention.

One of my more publicised websites (For a charity) does get far more blind requests (clearly searching for site vulnerabilites introduced by e.g. phpMyAdmin) and I might get 100 of those in 1 minute (2 per second) from a single IP for a while then it goes quiet again.

I probably need to add some conditional scripting to stop attacks like that, but I would like to know what I need to watch out for to ensure that I'm not actually vulnerable to these.

I can't really blindly block IPs since genuine, nice people may wish to browse information as the websites are generally informative websites!

Many thanks in advance.
Back to top
MichaelG72



Joined: 03 Oct 2011
Posts: 4
Location: Price, Utah

PostPosted: Tue 04 Oct '11 2:54    Post subject: Thanks Reply with quote

Most notably keep an eye on those requests and there frequency. It's not a bad thing that the server is puting out the 404 or 501 thats fine. BUT CHINA TELCOM IS NOTORIOUS FOR HACKERS ON THERE NETWORKS SO USE CAUTION.

An yes production and information must flow and your idea about a coutner script or even apache rewrite for those specific addresses could be in order.

Thanks
Back to top
MLxS



Joined: 14 May 2007
Posts: 6

PostPosted: Tue 04 Oct '11 2:55    Post subject: Reply with quote

Many thanks for the feedback.

Regards.
Back to top


Reply to topic   Topic: Error Log - Attacks View previous topic :: View next topic
Post new topic   Forum Index -> Apache