unauthorized access to the Apache server

Discussion in 'Server Operation' started by Christovampaynes, Mar 14, 2012.

  1. Christovampaynes

    Christovampaynes Member

    Guys, would help to interpret a part of my log.
    I am getting several strange connections ips on my web server.
    And in the access logs of the site has some ips trying to access addresses from what I understand my mydomain.com.br / newticket ticket or query, or, among others.
    these IPs that begin with 89, 90, 80, 46 ... probably have to be blocked, but wanted to know better what is happening!
    Thank you!

    - netstat -ntapl | grep :80

    tcp 0 0 0.0.0.0:8080 0.0.0.0:* OUÇA 2981/java
    tcp 0 0 0.0.0.0:80 0.0.0.0:* OUÇA 3133/apache2
    tcp 0 0 200.xxx.xxx.xx:80 125.24.250.13:61193 SYN_RECEBIDO –
    tcp 0 0 200.xxx.xxx.xx:80 89.169.1.30:60120 ESTABELECIDA 12200/apache2
    tcp 0 0 200.xxx.xxx.xx:80 80.194.50.116:40111 ESTABELECIDA 15889/apache2

    tcp 0 0 0.0.0.0:8081 0.0.0.0:* OUÇA 3133/apache2
    tcp 0 0 127.0.0.1:8005 0.0.0.0:* OUÇA 2981/java
    tcp 0 0 0.0.0.0:8009 0.0.0.0:* OUÇA 2981/java
    tcp 0 0 200.xxx.xxx.xx:80 200.102.207.218:50011 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 46.105.30.42:56676 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 76.164.222.35:1922 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 76.164.222.35:4986 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 96.47.224.218:44383 TIME_WAIT -

    tcp 0 0 200.xxx.xxx.xx:80 76.164.222.35:1518 ESTABELECIDA 14044/apache2
    tcp 0 0 200.xxx.xxx.xx:80 200.102.207.218:50044 TIME_WAIT -
    tcp 0 0 127.0.0.1:37742 127.0.0.1:3306 ESTABELECIDA 15808/amavisd (ch3-
    tcp 0 0 200.xxx.xxx.xx:80 200.102.207.218:50009 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 200.102.207.218:50012 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 200.102.207.218:50010 TIME_WAIT -
    tcp 0 0 200.xxx.xxx.xx:80 142.169.1.233:51469 ESPERA_FIN2 -

    - tail -f /var/log/ispconfig/http/mydomain/error.log

    [Tue Mar 13 22:48:18 2012] [error] [client 180.76.6.26] File does not exist: /var/www/mydomain.com.br/web/ticket
    [Tue Mar 13 22:48:23 2012] [error] [client 66.249.72.205] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:48:23 2012] [error] [client 66.249.72.211] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:48:29 2012] [error] [client 201.11.201.137] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:48:53 2012] [error] [client 96.47.224.50] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:48:54 2012] [error] [client 96.47.224.50] File does not exist: /var/www/ mydomain.com.br/web/newticket
    [Tue Mar 13 22:49:02 2012] [error] [client 66.249.72.211] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:49:17 2012] [error] [client 180.76.5.176] File does not exist: /var/www/ mydomain.com.br/web/query
    [Tue Mar 13 22:49:23 2012] [error] [client 96.47.225.178] File does not exist: /var/www/ mydomain.com.br/web/ticket
    [Tue Mar 13 22:49:23 2012] [error] [client 96.47.225.178] File does not exist: /var/www/ mydomain.com.br/web/ticket

    - tail -f /var/log/ispconfig/http/mydomain/access.log

    6.105.30.42 - - [13/Mar/2012:23:48:02 -0300] "GET /ticket/2181 HTTP/1.0" 404 1806 "http://server.mydomain.com.br/ticket/2181#comment:1" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
    140.98.210.233 - - [13/Mar/2012:23:48:08 -0300] "GET /ticket/2181 HTTP/1.1" 404 1806 "http://server.mydomain.com.br/ticket/2181#comment:1" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
    84.246.226.180 - - [13/Mar/2012:23:48:11 -0300] "GET /ticket/2181 HTTP/1.1" 404 1806 "http://server.mydomain.com.br/ticket/2181#comment:1" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
    80.90.151.1 - - [13/Mar/2012:23:48:13 -0300] "GET /ticket/2181 HTTP/1.1" 404 1806 "http://server.mydomain.com.br/ticket/2181#comment:1" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
    180.76.5.90 - - [13/Mar/2012:23:48:28 -0300] "GET /ticket/4034 HTTP/1.1" 404 809 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
    66.249.72.211 - - [13/Mar/2012:23:48:32 -0300] "GET /ticket/171511?format=rss HTTP/1.1" 404 809 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    125.24.250.13 - - [13/Mar/2012:23:48:35 -0300] "GET /newticket HTTP/1.0" 404 1806 "http://server.mydomain.com.br/newticket" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)"
    125.24.250.13 - - [13/Mar/2012:23:48:39 -0300] "GET / HTTP/1.0" 302 0 "http://server.mydomain.com.br/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)"
    66.249.72.211 - - [13/Mar/2012:23:48:44 -0300] "GET /ticket/157436 HTTP/1.1" 404 809 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    - I've been blocking each others addresses yesterday however appeared today.
    Have an idea of how to block these types of attacks? tiestou using modesecurity and fail2ban help in this regard? because the two have compiled and installed and ModSecurity logs shows this:

    [14/Mar/2012:15:01:19 --0300] [trac.mydomain.com.br/sid#7f65308ff3f0][rid#7f6530fa8360][/newticket][1] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "46"] [id "960015"] [rev "2.1.2"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

    [14/Mar/2012:15:02:03 --0300] [server.mydomain.com.br/sid#7f65308ff3f0][rid#7f6530f7d190][/ticket/86042][1] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "46"] [id "960015"] [rev "2.1.2"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

    [14/Mar/2012:15:02:04 --0300] [server.mydomain.com.br/sid#7f65308ff3f0][rid#7f6530fa0320][/ticket/86042][1] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "46"] [id "960015"] [rev "2.1.2"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
     
    Last edited: Mar 14, 2012
    Christovampaynes, Mar 14, 2012
    #1

Share This Page