Some weeks ago was being overwhelmed with ddos attack
After some research i fixed the proxy misconfiguration and activated Mod_evasive for apache, the slowlyness was gone.
I'm still receiving some types of request like this one
51.159.210.176 - - [01/Dec/2022:20:51:26 +0000] "GET http://chongzhi.jusunpay.com:8122/pay HTTP/1.1" 302 217
Are they harmless to my server? Also there is a way to disable this specific log? Because the access_log file is getting close to 50GB
Related
Any advice would be appreciated. I'm running Bitnami LAMP stack on AWS Lightsail. My apache access_log file is consistently getting very large (1 gb per day). I've set it to rotate hourly (although appears only to be rotating daily despite moving the logrotate from cron.daily to cron.hourly).
I'm trying to understand what is going on and how to prevent it, or address it. The lines that appear to be filling up the file are as below:
xx.xx.xx.xxx - - [14/Sep/2022:09:29:35 +0000] "GET /images/items_thumbs/ HTTP/1.1" 404 196
There are about 20 requests like this per second, all from the same IP (obscured above). It also appears that when the access_log file is too large it causes the server to crash when rotation is attempted.
What have I tried? I've addressed a part of the site that was causing 404 errors for an image, I believe it was a javascript loop that kept trying to fetch a missing image (onerror). I've removed that code from the site. I'm wondering if it's possible a machine at that IP address still has the page open and the script is still running?
I can get away with not having an access_log if it's easy to disable this feature? I would still want the error_log however as it's very useful!
Getting lot strange requests in my access log:
ip login:"-" - - [24/May/2017:01:26:30 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/D89B1EDB-4CED-D145-9246-16243451D23D/from HTTP/1.0" 404 1346 Time:"2s" pid:23050 Mem:"2097152
ip login:"-" - - [24/May/2017:00:48:35 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/E970DBFE-0DB1-A749-9392-CF1704CC81FD/from HTTP/1.0" 404 1348 Time:"0s" pid:22893 Mem:"4194304"
ip login:"-" - - [23/May/2017:00:33:08 +0700] "POST /CE92AFB2-2FDE-8742-B5ED-0629F2B9B622/2D682DC1-D8C5-574F-8A0E-AC62EB96CBD8/from HTTP/1.0" 404 1348 Time:"0s" pid:6695 Mem:"4194304"
...
Also, sometimes (not so frequently), getting another type of logs records containing parts of my HTML pages:
ip login:"-" - - [23/May/2017:14:00:49 +0700] "GET /static/legacy/js/ion%20value=201602>%D4%E5%E2%F0%E0%EB%FC%202016</option><option%20value=201601>%DF%ED%E2%E0%F0%FC%202016</option><option%20value=201512>%C4%E5%EA%E0%E1%F0%FC%202015</option><option%20value=201511>%CD%EE%FF%E1%F0%FC%202015</option><option%20value=201510>%CE%EA%F2%FF%E1%F0%FC%202015</option><option%20value=201509>%D1%E5%ED%F2%FF%E1%F0%FC%202015</option><option%20value=201508>%C0%E2%E3%F3%F1%F2%202015</option><option%20value=201507>%C8%FE%EB%FC%202015</option><option%20value=201506>%C8%FE%ED%FC%202015</option><option%20value=201505>%CC%E0%E9%202015</option><option%20value=201504>%C0%EF%F0%E5%EB%FC%202015</option><option%20value=201503>%CC%E0%F0%F2%202015</option><option%20value=201502>%D4%E5%E2%F0%E0%EB%FC%202015</option><option%20value=201501>%DF%ED%E2%E0%F0%FC%202015</option><option%20value=201412>%C4%E5%EA%E0%E1%F0%FC%202014</option><option%20value=201411>%CD%EE%FF%E1%F0%FC%202014</option><option%20value=201410>%CE%EA%F2%FF%E1%F0%FC%202014</option><option%20value=201409>%D1%E5%ED%F2%FF%E1%F0%FC%202014</option><option%20value=201408>%C0%E2%E3%F3%F1%F2%202014</option><option%20value=201407>%C8%FE%EB%FC%202014</option><option%20value=201406>%C8%FE%ED%FC%202014</option><option%20value=201405>%CC%E0%E9%202014</option><option%20value=201404>%C0%EF%F0%E5%EB%FC%202014</option><option%20value=201403>%CC%E0%F0%F2%202014</option><option%20value=201402>%D4%E5%E2%F0%E0%EB%FC%202014</option><option%20value=201401>%DF%ED%E2%E0%F0%FC%202014</option><option%20value=201312>%C4%E5%EA%E0%E1%F0%FC%202013</option><option%20value=201311>%CD%EE%FF%E1%F0%FC%202013</option></select></td></tr><script%20type= HTTP/1.0" 404 1347 Time:"0s" pid:15377 Mem:"4194304"
Anyone know something about it?
OS: ubuntu 15.10 x64
Apache: v 2.4.24
Looks to me like someone found a cross-site scripting (XSS) vulnerability somewhere in your code.
Without seeing the code found in the file found (presumably) at /static/legacy/js/ion, it's almost impossible to offer any advice or answers as to what needs to be done.
Generally speaking though, somewhere along the line there's code that exists which is producing output without first being sanitized. It could be inside that file, or maybe even inside the file that produces the output that writes that line.
Either way, it would probably be best to search for things like $_POST, $_GET, $_REQUEST, etc., that are producing output provided by the user without first being sanitized.
In my Apache error log I can see the following errors has caught on enormous amount everyday.
[Tue Jan 15 13:37:39 2013] [error] [client 66.249.78.53] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
When I check the corroesponding IP, Date and Time with the access log I can see the following
66.249.78.53 - - [15/Jan/2013:13:37:39 +0000] "GET /robots.txt HTTP/1.1" 500 821 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
I've tested my robot.txt file in the Google Webmster tool -> Health -> Blocked URLs and it's fine.
Also when some images accessed by bot's it throw the following error,
Error_LOG
[Tue Jan 15 12:14:16 2013] [error] [client 66.249.78.15] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
Accessed_URL
66.249.78.15 - - [15/Jan/2013:12:14:16 +0000] "GET /userfiles_generic_imagebank/1335441506.jpg?1 HTTP/1.1" 500 821 "-" "Googlebot-Image/1.0"
Actually the above image URL (and several other images in our access log) are not available on our site (they were available before a website revamp that we did in August 2012), and we thrown 404 errors when we go to those invalid resources.
However once in a while, it seems that bots (and even human visitors) generate this type of error in our access/error log, only for static resources like images that don't exist, and our robots.txt file. The server throws a 500 error for them, but actually when I try it from my browser - the images are 404 and the robots.txt is 200 (success).
We are not sure why this is happening and howcome a valid robot.txt and inavalid image can throw a 500 error. We do have a .htaccess file and we are sure that our (Zend framework) application is not being reached, because we have a separate log for that. Therefore, the server itself (or.htaccess) is throwing the 500 error "once in a while" and I can't imagine why. Could it be due to too many requests to the server, or how can I debug this further?
Note that we only noticed these errors after our design revamp, but the web server itself stayed the same
It might be useful to log the domain that the client is accessing. Your server might be accessible via multiple domains, including the raw IP address. When you're testing, you're doing so via the primary domain and everything works as expected. What if you try to access the same files via your IP (http://1.2.3.4/robots.txt) vs. the domain (http://example.com/robots.txt)? Also example.com vs. www.example.com or any other variation that points to the server.
Bots can sometimes hold on to IP/domain info long after an address has changed and may be attempting to access something that the rules were changed for months ago.
I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?
My server is crashing frequently, and I don't have the reasons for it:
GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214
/user/soapCaller.bs HTTP/1.1" 302 214
GET /robots.txt HTTP/1.0" 302 214.
We see a lot of requests for non-existent setup.php files:
GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214
The below request is also accessed on the server. What request is this?
95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214
How should this server crash issue be understood?
Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.
You should be concerned if you actually have a file with a known weakness.
One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.
The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.
These HTTP calls can not explain why your server crashes.
PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.
I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.
Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.
Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.
A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.
Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.
Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.
I have apache http 2.2 server load balance to several tomcat application servers running java servlets. Sometimes there are error response coming back
in http log it shows:
212.xx.xx.x - - [09/Aug/2012:05:07:32 -0700] "GET /myservlet/myService?inputParam=xxx HTTP/1.1" 500 627
is there a way for me to log the tomcat ip or some kind of id so that I can identify which tomcat server is producing the error?