[RndTbl] weird apache hit

Trevor Cordes trevor at tecnopolis.ca
Mon Feb 17 16:29:50 CST 2020

I have a mystery hit on my apache server that is giving weird results that
by config should never happen... and I can't figure it out.  What's
happening is very rarely a hit will "break out" of the dirs that I think
all hits should be limited to.  And I can't reproduce it with telnet

Somehow a hit is getting access to /var/www/html/ when that should be
impossible.  Yes, it's my document root in the global area, but
immediately in my virtualhost for that IP and port I redefine docroot to
a sub dir of that.  There should be no way someone can hit the site and
get to the original docroot.

Yes, I am probably going to change the default global docroot to just be
the same as my subdir one in the virthost, but I really want to figure out
why the request can break out the way it is.

The only thing weird about the hit, based on my customized logging
details, is that they are hitting a ServerAlias of the virthost, which is
a bit odd because that particular alias isn't public knowledge (though
it's not really hidden either).  Oh ya, and the IP is in HK and is trying
fuzzing attacks again me.

Here's the hit (IPs/hostnames changed): - - [17/Feb/2020:02:40:07 -0600] "GET / HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 80 9-w1.foo.com /var/www/html/

Note port 80, note the serveralias they hit us with, note the resulting
directory /var/www/html

Here's the error it generates:
[Mon Feb 17 14:43:13.444291 2020] [autoindex:error] [pid 16365:tid 140334311606016] [client] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.phtml,index.html,index.phtml,index.php) found, and server-generated directory index forbidden by Options directive

It's ok it's forbidden (in fact, might have saved my bacon) as I have
dirindex forbidden globally.  The thing is no hit should ever be trying to
find a index.html in /var/www/html!

When I try to recreate the hit to match the above manually with telnet, no
matter what I do I can't get the serveralias to match their hit:

telnet foo.com
GET / HTTP/1.1
Host: 9-w1.foo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Gives me a log result which matches what I expect the correct behaviour to
be: - - [17/Feb/2020:15:48:21 -0600] "GET / HTTP/1.1" 302 136 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 80 www.foo.com proxy:fcgi://localhost/var/www/html/Foo/Live/index.phtml

What on earth are the other parameters or headers they are passing in that
results in a different result than my test?  I'm truly stumped.  I could
try to capture packets of a hit, but the "attacks" only happen 2-3 times a
day and always from different IPs in Asia.

More information about the Roundtable mailing list