What is Apache's other_vhosts_access.log file used for?
I cannot find any documentation on this file on Google.
On the local system, which runs both Apache and Nginx, a lot of entries are displayed in other_vhosts_access.log, like:
kr.b19cms.dk:80 127.0.0.1 - - [19/Jun/2018:08:46:30 +0200] "POST /CHANGELOG.txt HTTP/1.0" 200 108893 "-" "drupalgeddon2" 246.189.151.79, 127.0.0.1
However, I cannot seem to make much out of it?
Usually one of the vhosts is marked as default - so if the Host: HTTP header does not match any of the other vhosts then the default vhost will be used to handle the request.
However, if no vhost is marked as default - then it goes into this log.
Related
When it comes to http://www.example.com/normal/url/path, Apache replied 404 Not Found, but wait, I know there is normal/url/path in the directory of ScriptAlias pointed to, I mean in the vhost config file.
Sadly, I only have "GET /normal/url/path HTTP/1.1" 404 in the log file of Apache, actually I want to see something like this, "GET /opt/www/location/normal/url/path HTTP/1.1" 404, I think this is clearer, effective, How do I to config this...
I am working on emulating an embedded device that is being controlled via HTML commands. The controller issues URLs such as
http://192.168.0.10/cgi-bin/aw_cam?cmd=QFT&res=1
And these affect the device in specific ways. My goal is to make an emulator of the device so I need to capture and handle all such requests. I have successfully configured Apache to call my scripts and I can get access to the "cmd=QFT&res=1" control string by reading the value of QUERY_STRING. I am using Apache 2.4.18 on Ubuntu 16.04.5. The scripts are written in C++.
The problem I am running into is that some of the commands issued by the controller are of the following form:
http://192.168.0.10/cgi-bin/aw_ptz?cmd=#P80&res=1
http://192.168.0.10/cgi-bin/aw_ptz?cmd=#T50&res=1
For whatever reason, whoever designed the command structure decided to use the # character as part of the command. But since the '#' delimits the fragment part of the URL, the information after it never makes it to my script, which only receives "cmd="
Is there any way to force Apache to pass the entire string after the ? to my scripts? I cannot change the client or the protocol, only the server side.
Edit:
The apache log shows the entire URL (see portion of log file below), so even though # is supposed to be a fragment delimiter, it makes it into the log file at least but not the cgi script.
192.168.0.9 - - [27/Jan/2019:00:21:10 +0000] "GET /cgi-bin/aw_ptz?cmd=#P53&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P66&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P99&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P76&res=1 HTTP/1.0" 200 151 "-" "-"
This seems to work:
RewriteCond %{THE_REQUEST} \s(.*)#(.*)\s
RewriteRule ^ http://localhost:8000%1#%2 [P,NE]
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
(I had python simple http server listening on localhost:8000 to verify if hash was passed correctly
For various reasons I want to shutdown my server after a certain period of idle time. I am running Tomcat 8.5.29 and Apache2 (not sure the version) on Debian 4.9.88. I wrote a script to look at the last time Tomcat had an access. I only have one app on the server and it is at "http://hostname/source/". My problem is that there are number of webserver vulnerabilities out there and I am getting a constant flow of requests to:
"GET / HTTP/1.1"
"POST /GponForm/diag_Form?images/ HTTP/1.1"
"GET /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer HTTP/1.1"
"POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1"
What I would like to do is stop anything that doesn't begin with "/source" from even getting to tomcat. I presume that a rewrite or something in Apache can do it, but I am not sure how the requests get to Tomcat in the first place.
Any ideas?
There are two possible ways for requests to reach Tomcat:
The probes send requests directly to the Tomcat port (typically port 8080). You can fix this by restricting Tomcat's listening address to the loopback address, by adding the attribute address="127.0.0.1" to the corresponding Connector element in conf/server.xml. Or you can just block port 8080 in your firewall.
The requests are forwarded from Apache to Tomcat via a reverse proxy configuration in Apache. This means there is a line such as the following in one of the Apache configuration files:
ProxyPass / http://127.0.0.1:8080/
If you add an explicit path prefix to both arguments, you can restrict which requests are passed to Tomcat:
ProxyPass /source http://127.0.0.1:8080/source
This ensures that only requests that begin with "/source" are forwarded to Tomcat.
Some Apache configurations use the AJP protocol instead of HTTP for proxying, but the same reasoning applies.
Getting lot strange requests in my access log:
ip login:"-" - - [24/May/2017:01:26:30 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/D89B1EDB-4CED-D145-9246-16243451D23D/from HTTP/1.0" 404 1346 Time:"2s" pid:23050 Mem:"2097152
ip login:"-" - - [24/May/2017:00:48:35 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/E970DBFE-0DB1-A749-9392-CF1704CC81FD/from HTTP/1.0" 404 1348 Time:"0s" pid:22893 Mem:"4194304"
ip login:"-" - - [23/May/2017:00:33:08 +0700] "POST /CE92AFB2-2FDE-8742-B5ED-0629F2B9B622/2D682DC1-D8C5-574F-8A0E-AC62EB96CBD8/from HTTP/1.0" 404 1348 Time:"0s" pid:6695 Mem:"4194304"
...
Also, sometimes (not so frequently), getting another type of logs records containing parts of my HTML pages:
ip login:"-" - - [23/May/2017:14:00:49 +0700] "GET /static/legacy/js/ion%20value=201602>%D4%E5%E2%F0%E0%EB%FC%202016</option><option%20value=201601>%DF%ED%E2%E0%F0%FC%202016</option><option%20value=201512>%C4%E5%EA%E0%E1%F0%FC%202015</option><option%20value=201511>%CD%EE%FF%E1%F0%FC%202015</option><option%20value=201510>%CE%EA%F2%FF%E1%F0%FC%202015</option><option%20value=201509>%D1%E5%ED%F2%FF%E1%F0%FC%202015</option><option%20value=201508>%C0%E2%E3%F3%F1%F2%202015</option><option%20value=201507>%C8%FE%EB%FC%202015</option><option%20value=201506>%C8%FE%ED%FC%202015</option><option%20value=201505>%CC%E0%E9%202015</option><option%20value=201504>%C0%EF%F0%E5%EB%FC%202015</option><option%20value=201503>%CC%E0%F0%F2%202015</option><option%20value=201502>%D4%E5%E2%F0%E0%EB%FC%202015</option><option%20value=201501>%DF%ED%E2%E0%F0%FC%202015</option><option%20value=201412>%C4%E5%EA%E0%E1%F0%FC%202014</option><option%20value=201411>%CD%EE%FF%E1%F0%FC%202014</option><option%20value=201410>%CE%EA%F2%FF%E1%F0%FC%202014</option><option%20value=201409>%D1%E5%ED%F2%FF%E1%F0%FC%202014</option><option%20value=201408>%C0%E2%E3%F3%F1%F2%202014</option><option%20value=201407>%C8%FE%EB%FC%202014</option><option%20value=201406>%C8%FE%ED%FC%202014</option><option%20value=201405>%CC%E0%E9%202014</option><option%20value=201404>%C0%EF%F0%E5%EB%FC%202014</option><option%20value=201403>%CC%E0%F0%F2%202014</option><option%20value=201402>%D4%E5%E2%F0%E0%EB%FC%202014</option><option%20value=201401>%DF%ED%E2%E0%F0%FC%202014</option><option%20value=201312>%C4%E5%EA%E0%E1%F0%FC%202013</option><option%20value=201311>%CD%EE%FF%E1%F0%FC%202013</option></select></td></tr><script%20type= HTTP/1.0" 404 1347 Time:"0s" pid:15377 Mem:"4194304"
Anyone know something about it?
OS: ubuntu 15.10 x64
Apache: v 2.4.24
Looks to me like someone found a cross-site scripting (XSS) vulnerability somewhere in your code.
Without seeing the code found in the file found (presumably) at /static/legacy/js/ion, it's almost impossible to offer any advice or answers as to what needs to be done.
Generally speaking though, somewhere along the line there's code that exists which is producing output without first being sanitized. It could be inside that file, or maybe even inside the file that produces the output that writes that line.
Either way, it would probably be best to search for things like $_POST, $_GET, $_REQUEST, etc., that are producing output provided by the user without first being sanitized.
I have apache with version 2.22 and have these rare logs with IPs from Japan, Taiwan ...
218.52.178.3 - - [10/Feb/2015:13:48:48 +0100] "\xa6Q\xb0\xce\xf5\b\x15\x05\xd3\xaf\xbe\x1d\xac\xbf\x99lx\xbf\xb0\x16w{\xb3\xf4\xa5%\xd6\x16\xd0\x15\xd5\xfa\xcbqo\xae9\xc2\x13\xf5&\x91\xb7\x90\xa1\xe5W\xe3" 200 62
98.119.71.85 - - [10/Feb/2015:15:48:47 +0100] "\x86}\x12%\xe8<\xc9\xb8\xed\xb9\x9d4j+0-\x19\xb9\xd3\xafA\xa9#7\x04q\x17\xe3\xa4\x87\xd3\t\x04\x92\x8493X\xd3H?\xf1\xb8\x96\x11\xbf\xc9\xddQ" 400 226
Does anyone know what they mean?
This is some kind of crawler, checking for vulnerabilities. You can block them by IP. Howevere They change the IP constantly.
Create a .htaccess file in your Document root and insert this in to it
Order Deny,Allow
Deny from 218.52.178.3
Deny from 98.119.71.85
If you have access to your firewall you can block hem from there. Each firewall has a different way to block IPs.
This is the requests made in Eastern languages by UTF encoding. Hieroglyphs . Apache converts it to english letters. They can be decoded to origin using some online services.