I'm monitoring my website with apache log and i saw some stranges requests, see:
51.255.65.74 - - [28/May/2016:11:48:02 -0300] "GET /insert/xahanave.html HTTP/1.1" 404 1035 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"
207.46.13.128 - - [28/May/2016:11:49:13 -0300] "GET / HTTP/1.1" 200 14188 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
66.249.64.87 - - [28/May/2016:11:49:32 -0300] "GET /css/kin8tengoku-1144-may.html HTTP/1.1" 404 1039 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Well, my FTP don't have the folder "/insert/xanahave", neither file 'kin8tengoku' in folder css. Is it possibile make a request to a non existen file/folder ?
Important: Some days ago my site was hacked and a "insert" folder was created without permission in FTP, but now everything was clean and folder "insert" don't exist anymore. My big question is, why requests to this folder continue ?
Because the files were picked up by Ahrefs, Bing search engine and Google search engine when they were up and they periodically recheck files to see if there are any changes. This is how Google and the like return up to date information on your site.
You can see it's these companies from the user agent sent (at the end of each line). Now some, more nefarious bots, sometimes pretend to be GoogleBot but a quick Google of these IP addresses show these to be legitimate ones.
As you can see your server correctly responds with a 404 (page not found status) and, providing there are no links to them, then these companies will eventually take the hint and drop them from their index and stop requesting them. Can take a month or two. They don't do this immediately in case the 404 is an error because you accidentally removed the page or similar.
Related
for a while I experienced that the google image bot is requesting a bunch of images in a single request. This request always ends up in a 404, but all images exist.
The request url consists a comma seperated list of URLs.
Here is a line from the apache access.log:
66.249.76.96 - - [21/Nov/2018:15:25:14 +0100] "GET /images/img1.jpg,https://example.com/images/img2.jpg,https://example.com/images/img3.jpg HTTP/1.1" 404 10459 "-" "Googlebot-Image/1.0"
Is this request type even possible? And how can I fix the server to serve the images?
Thanks in advance.
We are seeing random letters appear in access logs. The requests 404 since the content does not exist. The requests are made by a variety of users and other requests from the same ip usually look genuine. There is no way to request these from the site. Some of these requests even appear from internal traffic on our network.
Example:
157.203.177.191 - - [04/Feb/2018:23:51:20 +0000] "GET /VLTRP/content/dam/example/dotcom/images/ABtest/existing-customer-thumb.jpg HTTP/1.1" 404 60294 39082 "http://www.example.com/shop.html" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 2
Without the /VLTRP this is a genuine request. Has anyone seen something similar before?
For info we are running Apache/2.2.15 (Unix) with ModSec enabled. We do see similar behaviour on another site where we do not have ModSec configured. We see similar requests for internal, external and bot traffic.
Getting lot strange requests in my access log:
ip login:"-" - - [24/May/2017:01:26:30 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/D89B1EDB-4CED-D145-9246-16243451D23D/from HTTP/1.0" 404 1346 Time:"2s" pid:23050 Mem:"2097152
ip login:"-" - - [24/May/2017:00:48:35 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/E970DBFE-0DB1-A749-9392-CF1704CC81FD/from HTTP/1.0" 404 1348 Time:"0s" pid:22893 Mem:"4194304"
ip login:"-" - - [23/May/2017:00:33:08 +0700] "POST /CE92AFB2-2FDE-8742-B5ED-0629F2B9B622/2D682DC1-D8C5-574F-8A0E-AC62EB96CBD8/from HTTP/1.0" 404 1348 Time:"0s" pid:6695 Mem:"4194304"
...
Also, sometimes (not so frequently), getting another type of logs records containing parts of my HTML pages:
ip login:"-" - - [23/May/2017:14:00:49 +0700] "GET /static/legacy/js/ion%20value=201602>%D4%E5%E2%F0%E0%EB%FC%202016</option><option%20value=201601>%DF%ED%E2%E0%F0%FC%202016</option><option%20value=201512>%C4%E5%EA%E0%E1%F0%FC%202015</option><option%20value=201511>%CD%EE%FF%E1%F0%FC%202015</option><option%20value=201510>%CE%EA%F2%FF%E1%F0%FC%202015</option><option%20value=201509>%D1%E5%ED%F2%FF%E1%F0%FC%202015</option><option%20value=201508>%C0%E2%E3%F3%F1%F2%202015</option><option%20value=201507>%C8%FE%EB%FC%202015</option><option%20value=201506>%C8%FE%ED%FC%202015</option><option%20value=201505>%CC%E0%E9%202015</option><option%20value=201504>%C0%EF%F0%E5%EB%FC%202015</option><option%20value=201503>%CC%E0%F0%F2%202015</option><option%20value=201502>%D4%E5%E2%F0%E0%EB%FC%202015</option><option%20value=201501>%DF%ED%E2%E0%F0%FC%202015</option><option%20value=201412>%C4%E5%EA%E0%E1%F0%FC%202014</option><option%20value=201411>%CD%EE%FF%E1%F0%FC%202014</option><option%20value=201410>%CE%EA%F2%FF%E1%F0%FC%202014</option><option%20value=201409>%D1%E5%ED%F2%FF%E1%F0%FC%202014</option><option%20value=201408>%C0%E2%E3%F3%F1%F2%202014</option><option%20value=201407>%C8%FE%EB%FC%202014</option><option%20value=201406>%C8%FE%ED%FC%202014</option><option%20value=201405>%CC%E0%E9%202014</option><option%20value=201404>%C0%EF%F0%E5%EB%FC%202014</option><option%20value=201403>%CC%E0%F0%F2%202014</option><option%20value=201402>%D4%E5%E2%F0%E0%EB%FC%202014</option><option%20value=201401>%DF%ED%E2%E0%F0%FC%202014</option><option%20value=201312>%C4%E5%EA%E0%E1%F0%FC%202013</option><option%20value=201311>%CD%EE%FF%E1%F0%FC%202013</option></select></td></tr><script%20type= HTTP/1.0" 404 1347 Time:"0s" pid:15377 Mem:"4194304"
Anyone know something about it?
OS: ubuntu 15.10 x64
Apache: v 2.4.24
Looks to me like someone found a cross-site scripting (XSS) vulnerability somewhere in your code.
Without seeing the code found in the file found (presumably) at /static/legacy/js/ion, it's almost impossible to offer any advice or answers as to what needs to be done.
Generally speaking though, somewhere along the line there's code that exists which is producing output without first being sanitized. It could be inside that file, or maybe even inside the file that produces the output that writes that line.
Either way, it would probably be best to search for things like $_POST, $_GET, $_REQUEST, etc., that are producing output provided by the user without first being sanitized.
I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?
My server is crashing frequently, and I don't have the reasons for it:
GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214
/user/soapCaller.bs HTTP/1.1" 302 214
GET /robots.txt HTTP/1.0" 302 214.
We see a lot of requests for non-existent setup.php files:
GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214
The below request is also accessed on the server. What request is this?
95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214
How should this server crash issue be understood?
Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.
You should be concerned if you actually have a file with a known weakness.
One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.
The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.
These HTTP calls can not explain why your server crashes.
PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.
I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.
Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.
Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.
A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.
Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.
Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.
I have huge 1 GB log file. As I know, it shows errors in my site. But I absolutely don't get it.
I have lots of rows like this:
8x.xxx.45.10x (my ip) - - [04/Feb/2011:09:59:48 -0500] "GET /post?slaps=bbrfd HTTP/1.1" 404 278 "http://mywebsite.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.86 Safari/534.13"
What does it mean?
Thank you very much.
That entry indicates that a request for /post?slaps=bbrfd on your site was not found (404). The request came from your IP, transferred 278 bytes of data (the 404 error page's contents). The link that couldn't be found was clicked on mywebsite.com, and the rest is how the browser identified itself. The two dashes are for "remote username", and "username as logged into the site". The remote username is VERY rarely present, as it requires the remote site running identd and would slow down your site massively.
Looks like an access log file from Apache. Nothing to do with PHP or MySQL. Looks the user got a 404 page when trying to access /post?slaps=bbrfd
This would suggest the URL does not exist.