httpd access_log query 1

[bonifale]

Hi,

I'm intrigued.

Apart from the endless attempts to overflow my buffers with huge amounts of data, which so far are returning 414, I keep finding entries like the following in my Apache access log file.

66.194.6.72 - - [27/Oct/2005:01:39:10 +0100] "GET / HTTP/1.1" 200 365
66.194.6.80 - - [27/Oct/2005:01:42:52 +0100] "GET / HTTP/1.1" 200 12667
66.194.6.84 - - [27/Oct/2005:05:47:49 +0100] "GET / HTTP/1.1" 200 994
66.194.6.81 - - [27/Oct/2005:07:03:29 +0100] "GET / HTTP/1.1" 200 700
66.194.6.81 - - [27/Oct/2005:08:17:38 +0100] "GET / HTTP/1.1" 200 13171
66.194.6.68 - - [27/Oct/2005:09:58:14 +0100] "GET / HTTP/1.1" 200 14443
66.194.6.73 - - [27/Oct/2005:10:15:12 +0100] "GET / HTTP/1.1" 200 365
66.194.6.78 - - [27/Oct/2005:16:18:18 +0100] "GET / HTTP/1.1" 200 488

Clearly they achieve something as a 200 code is returned. Does anybody know what they are getting back and why they do it ?


Les....

 

[feherke]

Hi

Overflow ? I do not see how, with GET / requests. I think their software is just monitoring your site, looking for changes. Log the User-agent too, maybe is a bot and has a home URL in it's identificator. See that IP's whois too :

http://www.dnsstuff.com/tools/whois.ch?ip=66.194.6.72

By the way, what kind of site is your ? Some dynamic content ? And what is the /index.??? file's full size ?

Feherke.

http://rootshell.be/~feherke/

 

[bonifale]

Ah! Well spotted Feherke; The files sizes in the requests do reflect all of the index files on the server. Should have spotted that. I'll not worry about them.

I get Searches and Posts as well. In fact ever two or three days.

88.105.143.36 - - [24/Oct/2005:19:08:51 +0100] "GET / HTTP/1.0" 200 365
88.105.143.36 - - [24/Oct/2005:19:08:52 +0100] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9...(Loads more of these)x90\x90\x90\x90\x90\x90" 414 79
Immediately followed by...
88.105.143.36 - - [24/Oct/2005:19:09:22 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 14

and an error_log entry...
[Mon Oct 24 19:08:52 2005] [error] [client 88.105.143.36] request failed: URI too long (longer than 8190)
[Mon Oct 24 19:09:22 2005] [error] [client 88.105.143.36] File does not exist: /

http://www/_vti_bin

Still as long as there not getting in.....

Many thanks for the info.
Les....

 

[feherke]

Hi

Now this is matter for worry. There is no such method like that "SEARCH" in RFC2616. And that POST looks bad too. All those from the same IP, in such a short time, with different HTTP version... I would say that is an attack.

If you have no forms with POST, restrict the access methods to GET and maybe HEAD :

<LimitExcept GET HEAD>
  Deny from all
</LimitExcept>

http://httpd.apache.org/docs/2.0/mod/core.html#limitexcept

Feherke.

http://rootshell.be/~feherke/

 

[bonifale]

Thanks for that. I do have a post type form on the server but I tried the instruction anyway and it complains...

Syntax error on line 396 of /usr/local/apache2/conf/httpd.conf:
deny not allowed here

Les....

 

[feherke]

Hi

Sorry. That should be in a [tt]Directory[/tt] section. And to avoid other surprises, put an [tt]Order[/tt] too.

<Directory />
  <LimitExcept GET HEAD>
    Order deny,allow
    Deny from all
  </LimitExcept>
</Directory>

Feherke.

http://rootshell.be/~feherke/

 

[bonifale]

Thanks for your help; that works fine.

I'm quite new to Apache and appreciate all the help I can get.

Les....