access.log

[ajoo]

Hi all !

 

i am getting the following output in my access.log which looks quite alien to me. Also there seem to be attempts to upload some images to the server. Bank icons !! 

 

 

[18/Jan/2018:07:11:00 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"

66.102.6.111 - - [18/Jan/2018:08:26:53 +0000] "GET / HTTP/1.1" 200 3665 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.7$

66.102.6.109 - - [18/Jan/2018:08:26:54 +0000] "GET /favicon.ico HTTP/1.1" 404 3734 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/$

114.24.49.101 - - [18/Jan/2018:08:27:46 +0000] "GET / HTTP/1.1" 200 375 "-" "Mozilla/5.0 zgrab/0.x"

84.26.6.218 - - [18/Jan/2018:09:52:59 +0000] "GET / HTTP/1.0" 200 417 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

27.155.87.26 - - [18/Jan/2018:13:00:01 +0000] "GET /phpmyadmin/index.php HTTP/1.1" 404 515 "-" "python-requests/2.7.0 CPython/2.7.14 Windows/2008ServerR2"

216.218.206.67 - - [18/Jan/2018:14:44:32 +0000] "GET / HTTP/1.1" 200 3357 "-" "-"

77.72.83.233 - - [18/Jan/2018:14:47:32 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"

118.193.207.158 - - [18/Jan/2018:16:41:09 +0000] "GET /upload/bank-icons/bank-gh.jpg HTTP/1.1" 404 524 "http://130.158.115.248:80/upload/bank-icons/bank-gh.jpg" "Mozil$

118.193.207.158 - - [18/Jan/2018:16:41:09 +0000] "GET /upload/bank-icons/bank_16.png HTTP/1.1" 404 523 "http://130.158.115.248:80/upload/bank-icons/bank_16.png" "Mozil$

178.62.253.38 - - [18/Jan/2018:17:50:21 +0000] "GET / HTTP/1.0" 200 380 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

89.248.172.16 - - [18/Jan/2018:19:11:30 +0000] "GET / HTTP/1.1" 200 361 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Sa$

89.248.172.16 - - [18/Jan/2018:19:11:37 +0000] "GET /robots.txt HTTP/1.1" 404 449 "-" "-"

89.248.172.16 - - [18/Jan/2018:19:11:52 +0000] "GET /favicon.ico HTTP/1.1" 404 506 "-" "python-requests/2.10.0"

196.52.43.115 - - [18/Jan/2018:20:14:13 +0000] "GET / HTTP/1.0" 200 380 "-" "Mozilla/5.0(WindowsNT6.1;rv:31.0)Gecko/20100101Firefox/31.0"

51.15.148.214 - - [18/Jan/2018:21:22:53 +0000] "GET / HTTP/1.0" 200 380 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

77.72.83.233 - - [18/Jan/2018:21:45:40 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"

45.55.3.27 - - [18/Jan/2018:22:33:08 +0000] "GET / HTTP/1.1" 200 375 "-" "Mozilla/5.0 zgrab/0.x"

168.235.93.142 - - [18/Jan/2018:23:23:32 +0000] "GET / HTTP/1.1" 200 431 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/$

77.72.83.233 - - [18/Jan/2018:23:50:07 +0000] "GET / HTTP/1.1" 200 380 "-" "Mozilla"

191.96.249.136 - - [19/Jan/2018:00:48:05 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 486 "-" "-"

139.162.78.135 - - [19/Jan/2018:01:53:27 +0000] "GET / HTTP/1.1" 200 3429 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0$

164.132.91.13 - - [19/Jan/2018:04:10:36 +0000] "GET / HTTP/1.1" 200 3571 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101"

60.191.52.254 - - [19/Jan/2018:06:10:35 +0000] "HEAD http://wap.ip138.com/ HTTP/1.1" 200 251 "-" "Java/1.8.0_77"

 

 

Do I need to worry about these ? If so, what precautions should I take?

 

Thanks.

 

 

[requinix]

Nothing in there is attempting to upload an image. It's checking for that image.

 

It all looks like standard fare for a server on the internet: port scans, vulnerability scans, and proxy capability tests. The only thing I don't like in there is

60.191.52.254 - - [19/Jan/2018:06:10:35 +0000] "HEAD http://wap.ip138.com/ HTTP/1.1" 200 251 "-" "Java/1.8.0_77"

which could be good or bad, but best is it would respond with a 4xx (like a generic 404 or a 400) instead of a 200 (meaning success but it could be the server responded with your homepage).

[ajoo]

Hi requinix, 

 

Thanks ! 

 

 

 

 but best is it would respond with a 4xx (like a generic 404 or a 400) 

 

hmm how can I check whether the server responded with my home page ?and what should I do to ensure that the server returns a 4xx message instead of the 200?

 

Thanks again !

[requinix]

I'm not sure what the best way is, but as for myself I would execute a similar request. Using telnet you can do HTTP requests if you know what to send:

$ echo 'HEAD http://wap.ip138.com/ HTTP/1.1
Host: whatever.your.website.is
Connection: close

' | telnet whatever.your.website.is 80

Then see what the server does.

 

You could do the same basic thing in cURL but for me telnet is easier.

[ajoo]

Hi requinix,

 

This is what I got on the terminal 

 

 

Connected to my-web-site.com

Escape character is '^]'.

Connection closed by foreign host.

 

 

and this is what I get in the access.log

 

 

"HEAD http://wap.ip138.com/ HTTP/1.1" 200 270 "-" "-"

 

If you would be good enough to say what is the interpretation from this? Safe or Dangerous?  And any remedial action necessary ?

 

Thanks loads !

[requinix]

It doesn't say anything, actually. Try copying the 'HEAD...' string including those two newlines at the end, running

$ telnet my-web-site.com 80

then pasting into the console/terminal.

[ajoo]

Hi ! 

 

 I get this in the access.log

 

 

"HEAD http://wap.ip138.com/ HTTP/1.1\"" 400 0 "-" "-"

 

and this in the terminal

 

 

 

Connected to my-web-site.com

Escape character is '^]'.

Connection closed by foreign host.

 

 

Thanks !

[requinix]

The request was malformed but you're still not seeing the output.

 

Try something else.

header("Content-Type: text/plain");

$h = fsockopen("my-web-site.com", 80);
fwrite($h, "HEAD http://wap.ip138.com/ HTTP/1.1\r\nHost: whatever.your.website.is\r\nConnection: close\r\n\r\n");
fpassthru($h);
fclose($h);

[ajoo]

Hi requinix, 

 

Is this a php script that I need to execute from a php file? 

 

Thanks.

[requinix]

It sure looks like PHP code, doesn't it?

[ajoo]

 yes, so it does !

 

Hi !! The code outputs :

 

 

 

HTTP/1.1 200 OK
Date: Sat, 20 Jan 2018 07:53:49 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 14 Dec 2017 18:46:24 GMT
ETag: "6e-560514d0aace0"
Accept-Ranges: bytes
Content-Length: 110
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

 

 

access.log

 

 

"GET /test_access.php HTTP/1.1" 200 3629 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrom$

 

 

Thanks !

[requinix]

Wrong access log entry.

 

Try changing that HEAD to a GET.

header("Content-Type: text/plain");

$h = fsockopen("my-web-site.com", 80);
fwrite($h, "GET http://wap.ip138.com/ HTTP/1.1\r\nHost: whatever.your.website.is\r\nConnection: close\r\n\r\n");
fpassthru($h);
fclose($h);

[ajoo]

Hi, 

 

Here's what I got 

 

 

 

HTTP/1.1 200 OK
Date: Sat, 20 Jan 2018 09:04:51 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 14 Dec 2017 18:46:24 GMT
ETag: "6e-560514d0aace0"
Accept-Ranges: bytes
Content-Length: 110
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html>
<head>
<title>LAMP</title>
</head>
<body>
</br>
<a>Apache Homepage</a>
</br>
</body>
</html>

 

 

and access.log shows:

 

- - [20/Jan/2018:09:04:51 +0000] "GET http://wap.ip138.com/ HTTP/1.1" 200 380 "-" "-"

- - [20/Jan/2018:09:04:51 +0000] "GET /test_access.php HTTP/1.1" 200 3693 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML$

 

 

Thanks !

Edited January 20, 2018 by ajoo

[requinix]

You did change the "Host: whatever.your.website.is" part to match your site, right?

 

Assuming you did then it sounds like Apache is dealing with the problem reasonably well so you can ignore it.

[ajoo]

Hi requinix, 

 

 

 

You did change the "Host: whatever.your.website.is" part to match your site, right?

yes I did. 

 

Great to know that It's safe and I can ignore it. 

 

May I request you to kindly explain this code a bit. Like what was the code that we sent and how we figured out from the response that it's ok.  

 

Thanks a lot. 

Edited January 20, 2018 by ajoo

[requinix]

The code is a very simple HTTP request that should be very similar to the one that created the original HEAD... entry in the access log. We produced the same approximate result in the access log, and the response from that request was benign. Therefore it's a reasonable assumption that the original request also produced a similar benign response.

[ajoo]

hmm ok I think I understand it. If our request had produced a 404 error or something like that then we would have assumed that the HEAD query was trying something malicious and that was blocked by the server. Right !?

 

Thanks  !

[requinix]

No, actually a 404 would have been a good (better) thing than the 200. 404 means the server didn't know what to do with the request. As in it didn't correspond to a file or directory and it didn't have any other way to interpret what it might mean (such as through URL rewriting). A 200 means it was able to handle it in some way that seemed reasonable.

 

Though uncommonly used, servers are supposed to accept absolute URLs in there - a place which should normally only have relative URLs. Requesting "http://whatever.your.website.is/foo" results in an HTTP request containing

GET /foo HTTP/1.1
Host: whatever.your.website.is

(plus other stuff). With our fake request, Apache reinterprets it

HEAD http://wap.ip138.com/ HTTP/1.1
Host: whatever.your.website.is

to instead mean

HEAD / HTTP/1.1
Host: wap.ip138.com

That is, it rewrites the request URI and the Host according to the absolute URL that was used.

 

Since your server doesn't handle the "wap.ip138.com" domain, Apache picks the default virtualhost instead. It then runs the request like normal, which results in the output we saw.

 

See also

[ajoo]

Thanks requinix, 

 

Great link that ! Answers quite a few of my queries. 

 

Thanks.