Random chars appearing in Apache access logs - apache

We are seeing random letters appear in access logs. The requests 404 since the content does not exist. The requests are made by a variety of users and other requests from the same ip usually look genuine. There is no way to request these from the site. Some of these requests even appear from internal traffic on our network.
Example:
157.203.177.191 - - [04/Feb/2018:23:51:20 +0000] "GET /VLTRP/content/dam/example/dotcom/images/ABtest/existing-customer-thumb.jpg HTTP/1.1" 404 60294 39082 "http://www.example.com/shop.html" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 2
Without the /VLTRP this is a genuine request. Has anyone seen something similar before?
For info we are running Apache/2.2.15 (Unix) with ModSec enabled. We do see similar behaviour on another site where we do not have ModSec configured. We see similar requests for internal, external and bot traffic.

Related

Why does one specific customer's IP get refused (403 error) from our apache2.4?

We never had any problem and we didn't deploy anything, but one particular customer on his ipv6 addr is now getting 403 error from our Apache and I just can't figure out why.
I'm not sure what to provide but I double check every a2 config file.
I can see the customer access in the access.log (with the 403 code status), but nothing in the error.log.
access.log :
2a02:2788(...):102f - - [17/May/2021:12:54:12 +0200] "GET /page_url HTTP/1.0" 403 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75"
2a02:2788(...):102f - - [17/May/2021:12:54:15 +0200] "GET /page_url HTTP/1.0" 403 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75"
It's not on the application level too, we don"t have anything that return a 403 error.
Any idea on what Apache can do to trigger 403 error specificly on IP ?
Why/how is the customer seemingly making an HTTP/1.0 request? This alone could be sufficient reason for the server to reject the request since normal users using normal browsers don't send HTTP 1.0 requests. (HTTP/1.1 is expected.)
Generally, only certain bots make HTTP 1.0 requests.
An Apache module like mod_security could potentially have a rule that would block such requests. (Or any other rule using mod_rewrite, for instance, could also block such requests - but this is certainly not a default.)
Edg/89.0.774.75
It would seem this may have been a bug with Microsoft Edge, as the following Microsoft community post (from around the same time as this question) would seem to suggest:
https://answers.microsoft.com/en-us/microsoftedge/forum/all/internet-explorer-and-ms-edge-sends-ssl-requests/22708bcd-f196-45fb-84c9-6d8c34e7e08f
And as also noted in the above article, this would seem to have been "fixed" in later versions. So, your customer may also now be "fixed". (?)

Modx manager: lang.js.php returns 401 Unauthorized

I moved my ModX website from localhost to a development server.
I updated the paths in my config files it seems to be doing fine, the frontend is working properly.
Only issue, when trying to load the manager at http://dev.noculture.asia/manager/, there is a request to connectors/lang.js.php: http://dev.noculture.asia/connectors/lang.js.php?ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action=
This request returns a 401 Unauthorized error and I have no idea why.
The logs aren't helpful at all:
Modx doesn't log any error, so I am guessing that means the error comes from Apache.
Apache error.log is empty, access.log only tells:
[11/Feb/2014:21:41:10 -0800] "GET /connectors/lang.js.php?ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action= HTTP/1.1" 401 391 "http://dev.noculture.asia/manager/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.102 Chrome/32.0.1700.102 Safari/537.36"
Any suggestion how to fix this?
I realized that a 401 error is related to authentication.
I deleted the cookie for this domain, which destroyed my session. I was asked to login again, and now the manager is working properly.

XAMPP: Apache binds to all IP addresses of host

I have a XAMPP installation on Windows 2008 R2 that I have to support. The facts are these:
The computer has 3 IP addresses (25, 59 and 130, each 192.168.43.)
Apache and IIS need to run side by side (IIS is used for application pools)
The apache is configured to listen only on IP 25
Accessing any of the other IP addresses yields a message from the apache
The following configuration files have been adapted to the IP address listen/bind change (from the default installation):
httpd.conf lists "Listen 192.168.43.25:80"
httpd.conf lists "ServerName 192.168.43.25:80"
extra/httpd-ssl.conf lists "Listen 192.168.43.25:443"
I have no explanation for this behaviour. Whenever I access one of the other IP addresses, I get the following lines in the "access.log":
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET /xampp/ HTTP/1.1" 403 1371 "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
I'm not sure what to make of this. I'm pretty sure that this is my fault, that I somehow do not get the configuration, yet it seems straight forward correct.
Please help me. Thank you. I'll try to answer any questions in a matter of minutes.

Fixing mistakes reading logs

I have huge 1 GB log file. As I know, it shows errors in my site. But I absolutely don't get it.
I have lots of rows like this:
8x.xxx.45.10x (my ip) - - [04/Feb/2011:09:59:48 -0500] "GET /post?slaps=bbrfd HTTP/1.1" 404 278 "http://mywebsite.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.86 Safari/534.13"
What does it mean?
Thank you very much.
That entry indicates that a request for /post?slaps=bbrfd on your site was not found (404). The request came from your IP, transferred 278 bytes of data (the 404 error page's contents). The link that couldn't be found was clicked on mywebsite.com, and the rest is how the browser identified itself. The two dashes are for "remote username", and "username as logged into the site". The remote username is VERY rarely present, as it requires the remote site running identd and would slow down your site massively.
Looks like an access log file from Apache. Nothing to do with PHP or MySQL. Looks the user got a 404 page when trying to access /post?slaps=bbrfd
This would suggest the URL does not exist.

jboss url decoding

We have a servlet hosted on jboss which works on HttpServletRequest. But sometimes we receieve requests that do not get decoded by jboss, and when we do getQueryParam on HttpServletRequest, we get null. The jboss access log shows the url in encoded form. Normally, when everything works smooth, url is shown decoded in access log.
e.g.:
This was a problematic request:
127.0.0.1 [13/Apr/2009:14:18:53 +0000] GET /redirectService//%3Fclient_id=3&redirect_url=http%253A%252F%252Fwww.amazon.de%252Fgp%252Fsearch%253Fie%253DUTF8%2526keywords%253DMicrosoft+Office+2007%2526search-alias%253Dsoftware%2526 HTTP/1.1 'null' 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)'
This was a proper request:
127.0.0.1 [13/Apr/2009:14:19:37 +0000] GET /redirectService//?client_id=3&redirect_url=http%3A%2F%2Fwww.amazon.de%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3DMAGIX+Video+deluxe+2008%26search-alias%3Dsoftware%26 HTTP/1.1 'http://www.google.de/search?hl=de&q=magix+video+deluxe+2008&meta=&aq=3&oq=%22magix%22' 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322)'
Could we be missing some jboss decode settings, or is it just a case of malicious user?
Hard to tell, really.
The client seems to be decoding the question mark into "%3F" but not the ampersand. Suspicious, isn't it?. This looks like a buggy client IMO. Maybe nonportable javascript, maybe some URL-rewriting bug on the web server side, or a more esoteric cause ... a malfunctioning browser plugin.
To rule out nonportable javascript, log the user-agent and compare results. To rule out url-rewriting bug, log referer.
AFAIK, the URL decoder behavior is hardcoded. The string encoding can change if uri's get written in non-ascii or non-iso88591, but that's not what you're after. What encodes question marks but fail to encode ampersands escapes me.
We logged the user-agent, it is some suspicious "XXXagentXXX" in most cases, but a genuine Mozilla (as above) in others. Referrer is "-" for all these requests. However, there is one curious thing I noticed today. We redirect our requests from apache (80) to jboss. Apache access log shows above request as completely encoded:
GET /r/%3Fclient_id%3D3%26redirect_url%3Dhttp%253A%252F%252Fwww.amazon.de%252Fgp%252Fsearch%253Fie%253DUTF8%2526keywords%253DCyberlink%2BPower%2BDirector%2526search-alias%253Dsoftware HTTP/1.0" 400 965 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10)"
while jboss access log has everything except %3F decoded. Now this makes me think apache is screwing up somewhere in the decoding?
I had problem decoding URL too with JBoss 13.
I added the last line in JBoss configuration and it works now.
/subsystem=undertow/servlet-container=default:write-attribute(name=default-encoding,value="ISO-8859-15")
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=url-charset,value="ISO-8859-15")
Doc is here if more needed : https://wildscribe.github.io/WildFly/13.0/subsystem/undertow/server/http-listener/index.html