Request “strange”
- Tram Ho
If you are a web developer, you must also touch proxy / load balancer or app server. In many operations with this section, regularly checking the log to detect abnormalities is not to be ignored.
Context
Once the website / service is public, it means it has been “exposed” to the internet world. The internet world is like the human world in that “there are people and people everywhere.” That means there are visiting requests for pure purpose, there are also exploratory, destructive requests.
So how do you react to each of these unfriendly requests?
Example # 1
1 2 3 | 185.130.5.207 - - [23 / Dec / 2015: 20: 32: 19 +0900] "GET //myadmin/scripts/setup.php HTTP / 1.1" 404 2413 "-" "-" 185.130.5.207 - - [23 / Dec / 2015: 20: 32: 19 +0900] "GET //phpMyAdmin/scripts/setup.php HTTP / 1.1" 404 2413 "-" "-" 185.130.5.207 - - [14 / Jan / 2016: 11: 47: 07 +0900] "GET // websql/scripts/setup.php HTTP / 1.1" 404 2413 "-" "-" |
Example # 2
1 2 3 | 61.231.4.180 - - [01 / Sep / 2015: 17: 51: 01 +0900] "CONNECT vip163mx01.mxmail.netease.com:25 HTTP / 1.0" 400 172 "-" "-" 111.248.118.30 - - [01 / Sep / 2015: 22: 53: 04 +0900] "CONNECT 163mx01.mxmail.netease.com:25 HTTP / 1.0" 400 172 "-" "-" 141.212.122.90 - - [02 / Sep / 2015: 22: 55: 32 +0900] "CONNECT proxytest.zmap.io:80 HTTP / 1.1" 400 172 "-" "-" |
Example # 3
Suppose your domain is https://abc.com , but you receive the following requests:
1 2 | 146,185,239,100 - - [12 / Jan / 2016: 10: 00: 55 +0900] "GET http://www.alexa.com/ HTTP / 1.1" 200 19871 "-" "-" 146,185,239,100 - - [12 / Jan / 2016: 10: 25: 16 +0900] "GET http://www.alexa.com/ HTTP / 1.1" 200 19871 "-" "-" |
Details of the above 3 types of log are available at this link
How to fix
If in example # 1 and # 2 the status of the request is 2XX, then it means it is already patched.
In # 3, you telnet to https://abc.com , make GET another external host. If the data returned is data of the external host, it is already open, patch ?
Contact yourself
I have met a pretty sloppy case related to # 3 and Rails as follows:
On the homepage of the web, I have the following cache partial:
1 2 3 | cache "this_partial" due <% = link_to 'Link Name', resouce_url%> (*) end |
And right after I deploy, there is 1 request form # 3 poured, turned my link (*) into:
1 | <a href="http://www.alexa.com/resouce"> Link Name </a> |
instead of
1 | <a href="https://abc.com/resouce"> Link Name </a> |
Fix it by getting the absolute url to the relative path right away. Soulful.
Look forward to sharing more “strange” log lines from kipaloger.
Ref:
https://wiki.apache.org/httpd/ProxyAbuse
http://www.the-art-of-web.com/system/telnet-http11/
Markdown end here Social share
Note of the author summarizes the article content
- Your server can be probed at any time, in different ways.
- Knowing if your server has a vulnerability is based on the logs collected.
- Exploring doesn’t mean your server has a vulnerability. Ignore it if the log line shows a safe result. On the contrary, fix it right away.
ITZone via kipalog
Source : Kipalog