[RndTbl] weird apache hit

Mon Feb 17 19:53:47 CST 2020

Also, you've got the IP and you say they're persistent, tcpdump/tshark some
packets to a file and see the contents of the request in more detail?

Theo

On Mon, Feb 17, 2020 at 5:33 PM <athompso at athompso.net> wrote:

> First thought: what other hits come from that IP address previously?
> Could it be Redirect or rewrite?
> -Adam
>
> On Feb. 17, 2020 16:29, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> I have a mystery hit on my apache server that is giving weird results that
> by config should never happen... and I can't figure it out.  What's
> happening is very rarely a hit will "break out" of the dirs that I think
> all hits should be limited to.  And I can't reproduce it with telnet
> tests.
>
> Somehow a hit is getting access to /var/www/html/ when that should be
> impossible.  Yes, it's my document root in the global area, but
> immediately in my virtualhost for that IP and port I redefine docroot to
> a sub dir of that.  There should be no way someone can hit the site and
> get to the original docroot.
>
> Yes, I am probably going to change the default global docroot to just be
> the same as my subdir one in the virthost, but I really want to figure out
> why the request can break out the way it is.
>
> The only thing weird about the hit, based on my customized logging
> details, is that they are hitting a ServerAlias of the virthost, which is
> a bit odd because that particular alias isn't public knowledge (though
> it's not really hidden either).  Oh ya, and the IP is in HK and is trying
> fuzzing attacks again me.
>
> Here's the hit (IPs/hostnames changed):
> 1.2.3.4 - - [17/Feb/2020:02:40:07 -0600] "GET / HTTP/1.1" 403 199 "-"
> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
> 80 9-w1.foo.com /var/www/html/
>
> Note port 80, note the serveralias they hit us with, note the resulting
> directory /var/www/html
>
> Here's the error it generates:
> [Mon Feb 17 14:43:13.444291 2020] [autoindex:error] [pid 16365:tid
> 140334311606016] [client 2.3.4.5:54603] AH01276: Cannot serve directory
> /var/www/html/: No matching DirectoryIndex
> (index.phtml,index.html,index.phtml,index.php) found, and server-generated
> directory index forbidden by Options directive
>
> It's ok it's forbidden (in fact, might have saved my bacon) as I have
> dirindex forbidden globally.  The thing is no hit should ever be trying to
> find a index.html in /var/www/html!
>
> When I try to recreate the hit to match the above manually with telnet, no
> matter what I do I can't get the serveralias to match their hit:
>
> telnet foo.com
> GET / HTTP/1.1
> Host: 9-w1.foo.com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
>
> Gives me a log result which matches what I expect the correct behaviour to
> be:
>
> 50.71.247.87 - - [17/Feb/2020:15:48:21 -0600] "GET / HTTP/1.1" 302 136 "-"
> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
> 80 www.foo.com proxy:fcgi://localhost/var/www/html/Foo/Live/index.phtml
>
> What on earth are the other parameters or headers they are passing in that
> results in a different result than my test?  I'm truly stumped.  I could
> try to capture packets of a hit, but the "attacks" only happen 2-3 times a
> day and always from different IPs in Asia.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20200217/5d8b8a32/attachment.htm>