In article , Terry wrote:

> Hi, everyone,
> My apache server is being abused by malicious requests. Bottom is just
> part of the apache access log. These abusing request may generate by
> several persons, or by one person using a hacker network, I guess. Is
> there a hacker union or something like that in which members can use all

Yes, they're called "botnets". This is why hackers put out all those
viruses, they allow them to turn millions of computers around the
Internet into "zombies" that they can use to mount attacks like this.

> others' boxes to do nasty things or experiments? Is there a way to avoid
> being abused like this.

You can put a firewall in front of your web server, and it should filter
out totally invalid requests like these.

>
> Thank you.
>
>
>
> 218.85.33.119 - - [22/Jun/2008:20:17:39 +0800] "\xe3\x89" 501 290 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:21:49 +0800] "\xe3\x89" 501 290 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:22:51 +0800] "P\xe9o" 501 291 "-" "-"
> 88.164.173.95 - - [22/Jun/2008:20:23:23 +0800] "\xe2OO" 501 291 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:23:55 +0800] "\xe3\x89" 501 290 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:28:13 +0800] "\xe3\x89" 501 290 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:29:18 +0800] "\xfd\xfa$" 501 291 "-" "-"
> 218.85.33.119 - - [22/Jun/2008:20:30:20 +0800] "\xe3\x89" 501 290 "-" "-"
> 202.114.103.66 - - [22/Jun/2008:21:03:18 +0800] "\xe2\xd4i" 501 291 "-" "-"
> 218.74.209.100 - - [22/Jun/2008:21:20:33 +0800] "\xe3\x8d" 501 290 "-" "-"
> 125.122.29.186 - - [22/Jun/2008:21:27:31 +0800] "\xe3\x85" 501 290 "-" "-"
> 125.122.29.186 - - [22/Jun/2008:21:31:41 +0800] "\xe3\x85" 501 290 "-" "-"
> 218.74.209.100 - - [22/Jun/2008:21:44:07 +0800] "\xe3\x8d" 501 290 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:21:59:08 +0800] "\xd5\xaa#" 501 291 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:22:37:53 +0800] "\xe3\x89" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:22:39:02 +0800] "f\xa6." 501 291 "-" "-"
> 221.131.73.170 - - [22/Jun/2008:22:44:29 +0800] "\xcexx" 501 291 "-" "-"
> 116.62.64.16 - - [22/Jun/2008:22:46:41 +0800] "\xe3\x88" 501 290 "-" "-"
> 116.62.64.16 - - [22/Jun/2008:22:59:05 +0800] "\xe3\x88" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:22:59:26 +0800] "\xe3\x89" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:01:07 +0800] "[Y\x10" 501 291 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:01:35 +0800] "\xe3\x85" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:03:07 +0800] "\xe3\x89" 501 290 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:05:15 +0800] "\xe3\x85" 501 290 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:06:15 +0800] "K\xe9=" 501 291 "-" "-"
> 116.62.64.16 - - [22/Jun/2008:23:08:02 +0800] "\xe3\x88" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:16:38 +0800] "\xe3\x89" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:21:35 +0800] "\xe3\x89" 501 290 "-" "-"
> 123.121.199.244 - - [22/Jun/2008:23:24:16 +0800] "\x11\xd0\x1e" 501 291
> "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:28:04 +0800] "\xe3\x85" 501 290 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:29:06 +0800] "\xd11/" 501 291 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:30:14 +0800] "\xe3\x85" 501 290 "-" "-"
> 60.13.52.73 - - [22/Jun/2008:23:37:51 +0800] "\xab[s" 501 291 "-" "-"
> 116.227.246.33 - - [22/Jun/2008:23:39:36 +0800] "\xcc\xbbJ" 501 291 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:40:55 +0800] "\xe3\x89" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:47:21 +0800] "y\xce]" 501 291 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:50:21 +0800] "\xe3\x85" 501 290 "-" "-"
> 58.60.115.61 - - [22/Jun/2008:23:50:29 +0800] "\xe3\x89" 501 290 "-" "-"
> 125.46.17.29 - - [22/Jun/2008:23:51:25 +0800] "(\xc2b" 501 291 "-" "-"
>
> 125.46.17.29 - - [23/Jun/2008:00:05:17 +0800] "\xe3\x85" 501 290 "-" "-"
> 125.46.17.29 - - [23/Jun/2008:00:06:18 +0800] "\xb2\xdf^" 501 291 "-" "-"
> 125.46.17.29 - - [23/Jun/2008:00:07:23 +0800] "\xe3\x85" 501 290 "-" "-"
> 125.46.17.29 - - [23/Jun/2008:00:11:24 +0800] "\xe3\x85" 501 290 "-" "-"
> 87.102.19.207 - - [23/Jun/2008:00:14:26 +0800] "\xa2\x18}" 501 291 "-" "-"
> 79.153.18.61 - - [23/Jun/2008:00:35:25 +0800] "\xa4}`" 501 291 "-" "-"
> 218.94.124.42 - - [23/Jun/2008:01:00:04 +0800] "wUx" 501 291 "-" "-"
> 87.102.19.207 - - [23/Jun/2008:01:00:17 +0800] "\xc8o7" 501 291 "-" "-"

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article ,
Barry Margolin wrote:

>> My apache server is being abused by malicious requests. Bottom is just

>Yes, they're called "botnets". This is why hackers put out all those
>viruses, they allow them to turn millions of computers around the
>Internet into "zombies" that they can use to mount attacks like this.
>
>> others' boxes to do nasty things or experiments? Is there a way to avoid
>> being abused like this.
>
>You can put a firewall in front of your web server, and it should filter
>out totally invalid requests like these.

I would emphatically not give that advice for more than one reason:

- If your HTTP server is so fragile or otherwise vulnerable that it
cannot handle total invalid requests from the Internet like
those, then it must *never* exposed even to a non-trivial network
behind firewalls. Non-trivial private networks have insider bad
guys. Firewalls cannot and do not make insecure systems secure.
If you can't trust your web server, then you should turn it off.

- You can justify using firewalls to block traffic to systems that should
not be seen by the outside network as an extra layer of protection.
For example, you might block all Microsoft protocols at your external
firewall or all HTTP traffic to IP addresses that should not be answering
ports 80 and 443 just in case an accident happens and an insecure
HTTP server is started where it shouldn't be running.

- If your firewall could really recognize all valid requests without
significantly reducing security (consider HTTP/TLS), then common
sense says that your firewall *be* your web server. On the other
hand, universal experience with too smart by half firewalls shows
that they never understand all of the oddities of application
protocols. Contrary to claims of the salescritters from the Evil
Empire and the many wannabe evil empires, firewalls can recognize
port numbers and sometimes do most of what's need for NAT, but they
*always* mess up the details and odd cases, if not today then in the
next revision of the protocol.


Far better advice is dealing with stangeness in your logs is to try
to figure out the bad guys' goal, and then ensure that your web HTTP
server is secure against whatever it is. I guess asking here qualifies
as trying to figure out the point of an attack, but it has some
disadantages. In the last week I've noticed a new kind of strangeness
in some Apache2 httpd-error.log files. I've been unable to find any
explanations, but I hesitate to ask in public about them in case I'd
be announcing a vulernability in my own systems.


Vernon Schryver vjs@rhyolite.com

Thanks for you two's valuable responses. IMHO, a firewall should only
see data flow below application layer for that:
1. an application will eventually analyze the corresponding package; the
firewall should not do a redundancy work of that.
2. design of a firewall for application layer and all layers below seems
over complicated and performance-costly.
3. therefore, as Vernon mentioned, an application should take full
responsibility to secure its work.

I do have a firewall setup on my box using iptables which filters
packages with nasty tcp flag combinations, spoof source address and so
on. As far as I know, iptables can not peek http traffic and their
request line.


> Far better advice is dealing with stangeness in your logs is to try
> to figure out the bad guys' goal, and then ensure that your web HTTP
> server is secure against whatever it is. I guess asking here qualifies
> as trying to figure out the point of an attack, but it has some
> disadantages. In the last week I've noticed a new kind of strangeness
> in some Apache2 httpd-error.log files. I've been unable to find any
> explanations, but I hesitate to ask in public about them in case I'd
> be announcing a vulernability in my own systems.

Can you see the goal of the attack from the log? The attack is against
apache 2.2.3. I have just upgraded it.

Thanks again.