[RndTbl] weird apache hit
Tim Lavoie
tim at fractaldragon.net
Mon Feb 17 23:18:18 CST 2020
If you’re up to adding and configuring it, ModSecurity and the community rule set can provide a lot of information. Besides actively preventing some attacks, you can log complete requests, ideally only for the weird traffic.
> On Feb 17, 2020, at 7:03 PM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> On 2020-02-17 athompso at athompso.net wrote:
>> First thought: what other hits come from that IP address previously?
>> Could it be Redirect or rewrite? -Adam
>
> The pattern is 2-3 fuzz hits that get 4xx codes like:
> 1.2.3.4 - - [17/Feb/2020:14:59:28 -0600] "\x16\x03\x01" 400 226 "-" "-"
> 80 9-w1.foo.com -
>
> Then the hit that breaks into /var/www/html
>
>> On 2020-02-17 Theodore Baschak wrote:
>> Also, you've got the IP and you say they're persistent,
>> tcpdump/tshark some packets to a file and see the contents of the
>> request in more detail?
>
> I get 4-5 hits total from a single IP, then no more from that IP. Then
> a while later it'll be the same pattern from another IP. I have dozens
> of these groups of hits logged, always the similar sequence. Sometimes
> they just do the \x code hits and not the breakout hit.
>
> Probably a bot net causing this.
>
> So I can't easily dump these packets, at least not based on IP. This is
> a very busy production server so I'm not sure I want to turn on global
> port 80 packet capture... although, most traffic is port 443, so maybe
> it is an option.
>
> I'm also looking into logging more of the request. There doesn't seem
> a way to log all headers, but I can log specific ones.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
More information about the Roundtable
mailing list