Web Server Log Entry Question
Hello!
Here is a log snippet from an Apache2 access.log:
5.41.13.252 - - [09/Jun/2022:05:23:50 +0000] "POST /avdhkn HTTP/1.1" 404 497 "-"
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KH
TML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
5.41.13.252 - - [09/Jun/2022:05:23:50 +0000] "POST /gbu38w HTTP/1.1" 404 497 "-"
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KH
TML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
5.41.13.252 - - [09/Jun/2022:05:23:50 +0000] "POST /rhrzgc HTTP/1.1" 404 502 "-"
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KH
TML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
91.227.25.251 - - [09/Jun/2022:05:23:51 +0000] "GET /i4b16nGjRiIl7EFYx1b.YPEWkJ/B
7k?SDvQ-P.WAf=8DC7evsTjj5l45.Cp-W3 HTTP/1.1" 404 435 "-" "Mozilla/5.0 (Windows NT
5.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0"
There are thousands of similar requests from IPs all over. The POST requests are all similar in that they are a slash followed by a 6 character string. The GET requests also are a slash, but followed by a longer string.
What's going on here?
Thanks!
Tom
Comments
Someone trying to probe for a vulnerability. Logging the full set of headers and any potential bodies would be interesting and might shed some more light into what's that they're trying to probe for, sadly I no longer run my honeypots to be able to provide more information.
The Saudi government are after you.
The Saudis are installing Pegasus security software on your server free of charge, no need to be alarmed.
Data exfiltration through log if your server is compromised. I will encrypt the data and divide it into many small pieces as request parameter and then send http requests to a compromised server I have access to then from log I will retrieve that data. There are other interesting ways to exfiltrate data through DNS, p2p, etc protocols.
Otherwise just trying to DOS/find interesting things/etc.
The log snippet was from a server running Debian 11.3.
Not sure how it relates to the logged attacks, but it looks like there were some recent CVEs for Apache and that Debian 11.3's Apache version might be behind. Here's from the Slackware64-current changelog:
Wed Jun 8 19:15:34 UTC 2022
[ . . . ]
n/httpd-2.4.54-x86_64-1.txz: Upgraded.
This update fixes bugs and the following security issues:
mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
Information Disclosure in mod_lua with websockets.
mod_sed denial of service.
Denial of service in mod_lua r:parsebody.
Read beyond bounds in ap_strcmp_match().
Read beyond bounds via ap_rwrite().
Read beyond bounds in mod_isapi.
mod_proxy_ajp: Possible request smuggling.
For more information, see:
https://downloads.apache.org/httpd/CHANGES_2.4.54
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
(* Security fix *)
by the frequency, it looks like a DDoS attempt.
4 in 2 seconds by two hosts doesn't usually trigger "DDoS attempt". It looks like it's trying to find writable areas, perhaps temp dirs from getting Lets Encrypt certificates or something.
Such attempts are generally observed on domains those were once compromised and then later cleaned. They are still trying to look for old files. Now 2 things may happen :
1. They will try for a while and then leave you alone
2. If still have that vulnerability which allowed to leave payload first time, it will be noticed and will then try to again compromise the system.
dump the post requests into a file
here is php
$request = file_get_contents('php://input');
file_put_contents('request.txt', $request,FILE_APPEND);