[404 Logs] - Absolute URL placed after the file path for my domain? Purpose?

[BizLab]

Hey there, i've been noticing some strange things in my 404 error logs, it looks as if someone is trying to proxy another server from my box, but they are getting denied. I have the ProxyRequests Directive commented out in my httpd.conf file, which is the reason for the reject on their request. My question is

 

what are they even trying to do with this??

/folder/in/my/site/www.othersite.com

 

I also just saw this one today

/folder/sub-fol%3Ca%20href=

In this attempt, the non-friendly tries to leave off the last 1/2 of the sub folder's name and then add <a space href=    OR  [%3ca%20href=] which is obviously a link, but i'm not sure what the point is.

 

The final question was on this line:

/image-folder/image-sub-folder/mbpvpmmh/

What is the gibberish on the end (mbpvpmmh)?

 

I'm really not sure what i am missing here. It looks as if the server is doing it's jobs though and has the correct settings, but i'd like to get a little more information as to what the purpose of this non-sense is.

 

Thanks!!

[BizLab]

Another thing, who ever is doing this has been trying to access the system a few times, there must be a way for me to find an ipaddress on this person -  - Is there a way to find the ip address associated with / responsibe for these 404 entries?

[cags]

I'm not sure exactly where you are getting this information from or in what format it appears, but my error logs look like this...

 

[sat Jun 19 18:04:22 2010] [error] [client 127.0.0.1] File does not exist: <path to file>

 

... as you should see the third parameter gives the IP address.

[BizLab]

I'm not sure exactly where you are getting this information from or in what format it appears, but my error logs look like this...

 

[sat Jun 19 18:04:22 2010] [error] [client 127.0.0.1] File does not exist: <path to file>

 

... as you should see the third parameter gives the IP address.

 

Hey Cags, This info is coming from AWStats. I've been looking for the location of these log files that you referenced here. Where are they generally found on the server??

 

Also, i'm looking for some great resources (books) for Apache and Linux. I need to get my Admin skills up to par.. I will search amazon too

[cags]

Well in my case they are located within a log folder within the Apache folder. The exact location of the error log is often set in the vhost settings of your .conf file, depending on your server this location can change wildly, especially if you are using a managed system such as Parrellels/Cpanel (It took me a day and an age to find mine).

 

The most useful resource I've found with regards to Apache is their own online documenation, that is where I've gained most of my knowledge from. I'm sure there are decent books about, but I certainly couldn't recommend one. As far as Linux goes, I'm a proper noob, I can just about navigate around the file system, but that's about as far as my knowledge goes. Just playing around on my VPS is slowly helping me improve my knowledge though.

[BizLab]

OK, thanks Cags. Thats actually how i've been learning Linux and Apache... not generally the way i want to learn things though - lol My mistakes crashing a test site are a bit more critical now that the site is live =^)

 

i will look over the conf file to see what i can find. I didn't realize i would be able to view the actual log files with the Vi in linux, thanks!

 

Anyone have a clue as to why people even bother to proxy using the absolute url in another sites file path??

 

yoursite.com/your-cool-folder/www.the-destination-domain.com

 

I've heard that it can be used to cloak the (wanna be) 'crackers' location slightly, but if they were hardcore #1 I (especially) would not catch them and #2 they would use the torr network instead - this is why i'm clueless.

[BizLab]

HERE WE GO, i found something here. This is all from the same ip - - about 12 entries in the access_logs. What is happening here? I don't know how the GET request works when i a url (as a literal) such as this..

 

76.126.125.31 - - [22/Jun/2010:01:57:29 -0400] "GET /images/folder/image.jpg HTTP/1.1" 200 29610 "http://www.domain.com/folder/page.php?id=4" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) 
AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"

[cags]

That's just an access log. It appears to be perfectly valid, I believe the 200 means it was a successful request. http://www.domain.com/folder/page.php?id=4 appears to be the page that requested /images/folder/image.jpg, and the last section would be the persons user agent.

[BizLab]

[sun Jun 20 17:11:19 2010] [error] [client xx.xx.xxx.xxx] File does not exist: /var/www/vhosts/default/htdocs/_vti_bin
[sun Jun 20 17:11:19 2010] [error] [client xx.xx.xxx.xxx] request failed: URI too long (longer than 8190)
[sun Jun 20 18:34:49 2010] [error] [client xx.xx.xxx.xxx] request failed: URI too long (longer than 8190)
[sun Jun 20 18:34:49 2010] [error] [client xx.xx.xxx.xxx] File does not exist: /var/www/vhosts/default/htdocs/_vti_bin
[Mon Jun 21 11:13:53 2010] [error] [client xx.xx.xxx.xxx] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin
[Mon Jun 21 20:01:28 2010] [error] [client xx.xx.xxx.xxx] File does not exist: /var/www/vhosts/default/htdocs/pma
[Tue Jun 22 11:06:38 2010] [error] [client xx.xx.xxx.xxx] File does not exist: /var/www/vhosts/default/htdocs/mysql

 

Ok, it turns out i was looking at the wrong files. Here are the server logs. It looks like mr. client is trying to find some assets.. is there anything i can do to block this?

 

[cags]

Were they all from the same IP address, it very much seems like it's just looking for popular folder-names for scripts that allow access to secure information. It's fairly likely it's just a bot that is probing to collect a list of sites, the bot/owner would then try using other 'hacking' scripts on those sites that contain these folders. The basic idea is if you collect a large enough list of sites that have a phpMyAdmin folder, there's a change you will find one with default settings or poor security and then you can exploit the site. To be honest this is probably true regardless of whether they are from the same IP. You could start blocking the IP address, but at the end of the day what's the point? The site has tried to access a page and has received a message to say that folder doesn't exist, no harm has been done. 404 errors doesn't harm anyone, it's when it finds a page you are in more trouble.

[BizLab]

thanks man. I will keep an eye out for anything crazy, and i've found a few linux books that i may pickup. The online apache reference is the only source for education at this point.