I am currently getting 500 errors from Apache using a alarming probe shell script that has been provided to myself.
Unfortunately I have not been able to get to the bottom of why the script generates a 500 error when attempting to access content locally on the server but using other methods like wget and telnet works fine.
The following are the Apache access log entries for each of the attempts:
Using Wget
127.0.0.1 - "" [19/Mar/2013:14:31:44 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "Wget/1.13.3" "-"
Using Telnet
127.0.0.1 - "" [20/Mar/2013:13:12:11 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "-" "-"
Using the Probe Scripts
127.0.0.1 - - [19/Mar/2013:14:33:56 +1100] "GET /index.html HTTP/1.1" 500 - "-" "" "-"
The only difference I can see is that the probe has a - instead of a "" in the user agent (3rd item) which either way tells me it wasn't passed in any of the instances (as this is expected since there is no authentication).
I've bumped up the logging for everything in Apache and can't figure out what is amiss. There is no processing involved, it's a static file, and I have attempted with other file types too, like images to no avail.
Does anyone have any ideas or has seen something similar?
Thanks,
Tony
Related
Yesterday we faced a strange behavior when reading access log of Apache httpd. An example of below:
207.46.13.135 - - [25/Sep/2022:15:28:28 +0700] "GET / HTTP/1.1" 302 287 (core.c/0/translate_name) - 140
This is a normal access entry: x.x.x.x - - [26/Sep/2022:14:16:57 +0700] "GET /corp/L003/consumer/theme/vn.ssc.css HTTP/1.1" 200 1043 (core.c/0/handler) - 830
We have directives to proxy and redirect the request going to the system. But why this does not redirect (the return code 302 is understandable when in debug mod but why we don't get it when having in production log) – > We suspected that these IPs used some kind of engines to flood the web server, only to response status but not the content.
I am working on emulating an embedded device that is being controlled via HTML commands. The controller issues URLs such as
http://192.168.0.10/cgi-bin/aw_cam?cmd=QFT&res=1
And these affect the device in specific ways. My goal is to make an emulator of the device so I need to capture and handle all such requests. I have successfully configured Apache to call my scripts and I can get access to the "cmd=QFT&res=1" control string by reading the value of QUERY_STRING. I am using Apache 2.4.18 on Ubuntu 16.04.5. The scripts are written in C++.
The problem I am running into is that some of the commands issued by the controller are of the following form:
http://192.168.0.10/cgi-bin/aw_ptz?cmd=#P80&res=1
http://192.168.0.10/cgi-bin/aw_ptz?cmd=#T50&res=1
For whatever reason, whoever designed the command structure decided to use the # character as part of the command. But since the '#' delimits the fragment part of the URL, the information after it never makes it to my script, which only receives "cmd="
Is there any way to force Apache to pass the entire string after the ? to my scripts? I cannot change the client or the protocol, only the server side.
Edit:
The apache log shows the entire URL (see portion of log file below), so even though # is supposed to be a fragment delimiter, it makes it into the log file at least but not the cgi script.
192.168.0.9 - - [27/Jan/2019:00:21:10 +0000] "GET /cgi-bin/aw_ptz?cmd=#P53&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P66&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P99&res=1 HTTP/1.0" 200 151 "-" "-"
192.168.0.9 - - [27/Jan/2019:00:21:11 +0000] "GET /cgi-bin/aw_ptz?cmd=#P76&res=1 HTTP/1.0" 200 151 "-" "-"
This seems to work:
RewriteCond %{THE_REQUEST} \s(.*)#(.*)\s
RewriteRule ^ http://localhost:8000%1#%2 [P,NE]
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
(I had python simple http server listening on localhost:8000 to verify if hash was passed correctly
Getting lot strange requests in my access log:
ip login:"-" - - [24/May/2017:01:26:30 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/D89B1EDB-4CED-D145-9246-16243451D23D/from HTTP/1.0" 404 1346 Time:"2s" pid:23050 Mem:"2097152
ip login:"-" - - [24/May/2017:00:48:35 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/E970DBFE-0DB1-A749-9392-CF1704CC81FD/from HTTP/1.0" 404 1348 Time:"0s" pid:22893 Mem:"4194304"
ip login:"-" - - [23/May/2017:00:33:08 +0700] "POST /CE92AFB2-2FDE-8742-B5ED-0629F2B9B622/2D682DC1-D8C5-574F-8A0E-AC62EB96CBD8/from HTTP/1.0" 404 1348 Time:"0s" pid:6695 Mem:"4194304"
...
Also, sometimes (not so frequently), getting another type of logs records containing parts of my HTML pages:
ip login:"-" - - [23/May/2017:14:00:49 +0700] "GET /static/legacy/js/ion%20value=201602>%D4%E5%E2%F0%E0%EB%FC%202016</option><option%20value=201601>%DF%ED%E2%E0%F0%FC%202016</option><option%20value=201512>%C4%E5%EA%E0%E1%F0%FC%202015</option><option%20value=201511>%CD%EE%FF%E1%F0%FC%202015</option><option%20value=201510>%CE%EA%F2%FF%E1%F0%FC%202015</option><option%20value=201509>%D1%E5%ED%F2%FF%E1%F0%FC%202015</option><option%20value=201508>%C0%E2%E3%F3%F1%F2%202015</option><option%20value=201507>%C8%FE%EB%FC%202015</option><option%20value=201506>%C8%FE%ED%FC%202015</option><option%20value=201505>%CC%E0%E9%202015</option><option%20value=201504>%C0%EF%F0%E5%EB%FC%202015</option><option%20value=201503>%CC%E0%F0%F2%202015</option><option%20value=201502>%D4%E5%E2%F0%E0%EB%FC%202015</option><option%20value=201501>%DF%ED%E2%E0%F0%FC%202015</option><option%20value=201412>%C4%E5%EA%E0%E1%F0%FC%202014</option><option%20value=201411>%CD%EE%FF%E1%F0%FC%202014</option><option%20value=201410>%CE%EA%F2%FF%E1%F0%FC%202014</option><option%20value=201409>%D1%E5%ED%F2%FF%E1%F0%FC%202014</option><option%20value=201408>%C0%E2%E3%F3%F1%F2%202014</option><option%20value=201407>%C8%FE%EB%FC%202014</option><option%20value=201406>%C8%FE%ED%FC%202014</option><option%20value=201405>%CC%E0%E9%202014</option><option%20value=201404>%C0%EF%F0%E5%EB%FC%202014</option><option%20value=201403>%CC%E0%F0%F2%202014</option><option%20value=201402>%D4%E5%E2%F0%E0%EB%FC%202014</option><option%20value=201401>%DF%ED%E2%E0%F0%FC%202014</option><option%20value=201312>%C4%E5%EA%E0%E1%F0%FC%202013</option><option%20value=201311>%CD%EE%FF%E1%F0%FC%202013</option></select></td></tr><script%20type= HTTP/1.0" 404 1347 Time:"0s" pid:15377 Mem:"4194304"
Anyone know something about it?
OS: ubuntu 15.10 x64
Apache: v 2.4.24
Looks to me like someone found a cross-site scripting (XSS) vulnerability somewhere in your code.
Without seeing the code found in the file found (presumably) at /static/legacy/js/ion, it's almost impossible to offer any advice or answers as to what needs to be done.
Generally speaking though, somewhere along the line there's code that exists which is producing output without first being sanitized. It could be inside that file, or maybe even inside the file that produces the output that writes that line.
Either way, it would probably be best to search for things like $_POST, $_GET, $_REQUEST, etc., that are producing output provided by the user without first being sanitized.
I am running a website with siginup/login process. and I like to insert user ids when the user signs up or in to my website.
My apache access.log is as in the following:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/premium/brand HTTP/1.1" 200 721 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/brand/ HTTP/1.1" 200 2510 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:39:00 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
I can clearly see what http request was sent from what ip address.
But if I put the user id (eg. $userid) to this log, it would be wonderful log, and I will be able to get a good statistic information for making decision.
If it is possible, is there any way to do this?
Any advice will be really appreciated.
The log will be like this:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "***[USERID]*** GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
If you are using HTTP Basic or Digest authentication, then the user name is derived from an HTTP header and can be inserted into the log by using %u in a LogFormat directive in your apache config. If you have a login system that does not include the username in a header (likely), then the only other option I know of would be to somehow set an environment variable which Apache could then write out with %{FOOBAR}e. See http://httpd.apache.org/docs/2.2/logs.html
Otherwise, you're probably better off writing out your own log file from your application code (or use an application level logging library - Log4j, or whatever.)
In Apache access.log, I am used to this kind of access log line:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
I was checking some apache access logs this morning and found something I'm not used to:
192.168.1.10- - [20/Feb/2013:00:00:45 +0000] "POST /form/... 404 200 252 "-" "-" 435835
There are multiple status code. Does-it mean the request was sended multiple times (something like a failed/retry mechanism?