Jump to content

access.log


Go to solution Solved by requinix,

Recommended Posts

Hi all !

 

i am getting the following output in my access.log which looks quite alien to me. Also there seem to be attempts to upload some images to the server. Bank icons !! 

 

 

[18/Jan/2018:07:11:00 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"

66.102.6.111 - - [18/Jan/2018:08:26:53 +0000] "GET / HTTP/1.1" 200 3665 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.7$
66.102.6.109 - - [18/Jan/2018:08:26:54 +0000] "GET /favicon.ico HTTP/1.1" 404 3734 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/$
114.24.49.101 - - [18/Jan/2018:08:27:46 +0000] "GET / HTTP/1.1" 200 375 "-" "Mozilla/5.0 zgrab/0.x"
84.26.6.218 - - [18/Jan/2018:09:52:59 +0000] "GET / HTTP/1.0" 200 417 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
27.155.87.26 - - [18/Jan/2018:13:00:01 +0000] "GET /phpmyadmin/index.php HTTP/1.1" 404 515 "-" "python-requests/2.7.0 CPython/2.7.14 Windows/2008ServerR2"
216.218.206.67 - - [18/Jan/2018:14:44:32 +0000] "GET / HTTP/1.1" 200 3357 "-" "-"
77.72.83.233 - - [18/Jan/2018:14:47:32 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"
118.193.207.158 - - [18/Jan/2018:16:41:09 +0000] "GET /upload/bank-icons/bank-gh.jpg HTTP/1.1" 404 524 "http://130.158.115.248:80/upload/bank-icons/bank-gh.jpg" "Mozil$
118.193.207.158 - - [18/Jan/2018:16:41:09 +0000] "GET /upload/bank-icons/bank_16.png HTTP/1.1" 404 523 "http://130.158.115.248:80/upload/bank-icons/bank_16.png" "Mozil$
178.62.253.38 - - [18/Jan/2018:17:50:21 +0000] "GET / HTTP/1.0" 200 380 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
89.248.172.16 - - [18/Jan/2018:19:11:30 +0000] "GET / HTTP/1.1" 200 361 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Sa$
89.248.172.16 - - [18/Jan/2018:19:11:37 +0000] "GET /robots.txt HTTP/1.1" 404 449 "-" "-"
89.248.172.16 - - [18/Jan/2018:19:11:52 +0000] "GET /favicon.ico HTTP/1.1" 404 506 "-" "python-requests/2.10.0"
196.52.43.115 - - [18/Jan/2018:20:14:13 +0000] "GET / HTTP/1.0" 200 380 "-" "Mozilla/5.0(WindowsNT6.1;rv:31.0)Gecko/20100101Firefox/31.0"
51.15.148.214 - - [18/Jan/2018:21:22:53 +0000] "GET / HTTP/1.0" 200 380 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
77.72.83.233 - - [18/Jan/2018:21:45:40 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"
45.55.3.27 - - [18/Jan/2018:22:33:08 +0000] "GET / HTTP/1.1" 200 375 "-" "Mozilla/5.0 zgrab/0.x"
168.235.93.142 - - [18/Jan/2018:23:23:32 +0000] "GET / HTTP/1.1" 200 431 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/$
77.72.83.233 - - [18/Jan/2018:23:50:07 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"
191.96.249.136 - - [19/Jan/2018:00:48:05 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 486 "-" "-"
139.162.78.135 - - [19/Jan/2018:01:53:27 +0000] "GET / HTTP/1.1" 200 3429 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0$
164.132.91.13 - - [19/Jan/2018:04:10:36 +0000] "GET / HTTP/1.1" 200 3571 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101"
60.191.52.254 - - [19/Jan/2018:06:10:35 +0000] "HEAD http://wap.ip138.com/ HTTP/1.1" 200 251 "-" "Java/1.8.0_77"
 

 

Do I need to worry about these ? If so, what precautions should I take?

 

Thanks.

 

 

Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/
Share on other sites

Nothing in there is attempting to upload an image. It's checking for that image.

 

It all looks like standard fare for a server on the internet: port scans, vulnerability scans, and proxy capability tests. The only thing I don't like in there is

60.191.52.254 - - [19/Jan/2018:06:10:35 +0000] "HEAD http://wap.ip138.com/ HTTP/1.1" 200 251 "-" "Java/1.8.0_77"
which could be good or bad, but best is it would respond with a 4xx (like a generic 404 or a 400) instead of a 200 (meaning success but it could be the server responded with your homepage).
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555533
Share on other sites

Hi requinix, 

 

Thanks ! 

 

 

 

 but best is it would respond with a 4xx (like a generic 404 or a 400) 

 

hmm how can I check whether the server responded with my home page ?and what should I do to ensure that the server returns a 4xx message instead of the 200?

 

Thanks again !

Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555537
Share on other sites

I'm not sure what the best way is, but as for myself I would execute a similar request. Using telnet you can do HTTP requests if you know what to send:

$ echo 'HEAD http://wap.ip138.com/ HTTP/1.1
Host: whatever.your.website.is
Connection: close

' | telnet whatever.your.website.is 80
Then see what the server does.

 

You could do the same basic thing in cURL but for me telnet is easier.

Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555539
Share on other sites

Hi requinix,

 

This is what I got on the terminal 

 

 

Connected to my-web-site.com

Escape character is '^]'.
Connection closed by foreign host.
 

 

and this is what I get in the access.log

 

 

"HEAD http://wap.ip138.com/ HTTP/1.1" 200 270 "-" "-"

 

If you would be good enough to say what is the interpretation from this? Safe or Dangerous?  And any remedial action necessary ?

 

Thanks loads !

Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555544
Share on other sites

The request was malformed but you're still not seeing the output.

 

Try something else.

header("Content-Type: text/plain");

$h = fsockopen("my-web-site.com", 80);
fwrite($h, "HEAD http://wap.ip138.com/ HTTP/1.1\r\nHost: whatever.your.website.is\r\nConnection: close\r\n\r\n");
fpassthru($h);
fclose($h);
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555558
Share on other sites

:rolleyes: yes, so it does !

 

Hi !! The code outputs :

 

 

 

HTTP/1.1 200 OK
Date: Sat, 20 Jan 2018 07:53:49 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 14 Dec 2017 18:46:24 GMT
ETag: "6e-560514d0aace0"
Accept-Ranges: bytes
Content-Length: 110
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
 

 

access.log

 

 

"GET /test_access.php HTTP/1.1" 200 3629 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrom$

 

 

Thanks !

Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555590
Share on other sites

Wrong access log entry.

 

Try changing that HEAD to a GET.

header("Content-Type: text/plain");

$h = fsockopen("my-web-site.com", 80);
fwrite($h, "GET http://wap.ip138.com/ HTTP/1.1\r\nHost: whatever.your.website.is\r\nConnection: close\r\n\r\n");
fpassthru($h);
fclose($h);
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555591
Share on other sites

Hi, 

 

Here's what I got 

 

 

 

HTTP/1.1 200 OK
Date: Sat, 20 Jan 2018 09:04:51 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 14 Dec 2017 18:46:24 GMT
ETag: "6e-560514d0aace0"
Accept-Ranges: bytes
Content-Length: 110
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html>
<head>
<title>LAMP</title>
</head>
<body>
</br>
<a>Apache Homepage</a>
</br>
</body>
</html>
 

 

and access.log shows:

 

- - [20/Jan/2018:09:04:51 +0000] "GET http://wap.ip138.com/ HTTP/1.1" 200 380 "-" "-"

- - [20/Jan/2018:09:04:51 +0000] "GET /test_access.php HTTP/1.1" 200 3693 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML$
 

 

Thanks !

Edited by ajoo
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555592
Share on other sites

Hi requinix, 

 

 

 

You did change the "Host: whatever.your.website.is" part to match your site, right?

yes I did. 

 

Great to know that It's safe and I can ignore it. 

 

May I request you to kindly explain this code a bit. Like what was the code that we sent and how we figured out from the response that it's ok.  

 

Thanks a lot. 

Edited by ajoo
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555596
Share on other sites

The code is a very simple HTTP request that should be very similar to the one that created the original HEAD... entry in the access log. We produced the same approximate result in the access log, and the response from that request was benign. Therefore it's a reasonable assumption that the original request also produced a similar benign response.

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555598
Share on other sites

  • Solution

No, actually a 404 would have been a good (better) thing than the 200. 404 means the server didn't know what to do with the request. As in it didn't correspond to a file or directory and it didn't have any other way to interpret what it might mean (such as through URL rewriting). A 200 means it was able to handle it in some way that seemed reasonable.

 

Though uncommonly used, servers are supposed to accept absolute URLs in there - a place which should normally only have relative URLs. Requesting "http://whatever.your.website.is/foo" results in an HTTP request containing

GET /foo HTTP/1.1
Host: whatever.your.website.is
(plus other stuff). With our fake request, Apache reinterprets it

HEAD http://wap.ip138.com/ HTTP/1.1
Host: whatever.your.website.is
to instead mean

HEAD / HTTP/1.1
Host: wap.ip138.com
That is, it rewrites the request URI and the Host according to the absolute URL that was used.

 

Since your server doesn't handle the "wap.ip138.com" domain, Apache picks the default virtualhost instead. It then runs the request like normal, which results in the output we saw.

 

See also

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/306264-accesslog/#findComment-1555603
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.