apache being attacked - TCP-IP

This is a discussion on apache being attacked - TCP-IP ; Hi, everyone, My apache server is being abused by malicious requests. Bottom is just part of the apache access log. These abusing request may generate by several persons, or by one person using a hacker network, I guess. Is there ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: apache being attacked

  1. apache being attacked

    Hi, everyone,
    My apache server is being abused by malicious requests. Bottom is just
    part of the apache access log. These abusing request may generate by
    several persons, or by one person using a hacker network, I guess. Is
    there a hacker union or something like that in which members can use all
    others' boxes to do nasty things or experiments? Is there a way to avoid
    being abused like this.

    Thank you.



    218.85.33.119 - - [22/Jun/2008:20:17:39 +0800] "\xe3\x89" 501 290 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:21:49 +0800] "\xe3\x89" 501 290 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:22:51 +0800] "P\xe9o" 501 291 "-" "-"
    88.164.173.95 - - [22/Jun/2008:20:23:23 +0800] "\xe2OO" 501 291 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:23:55 +0800] "\xe3\x89" 501 290 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:28:13 +0800] "\xe3\x89" 501 290 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:29:18 +0800] "\xfd\xfa$" 501 291 "-" "-"
    218.85.33.119 - - [22/Jun/2008:20:30:20 +0800] "\xe3\x89" 501 290 "-" "-"
    202.114.103.66 - - [22/Jun/2008:21:03:18 +0800] "\xe2\xd4i" 501 291 "-" "-"
    218.74.209.100 - - [22/Jun/2008:21:20:33 +0800] "\xe3\x8d" 501 290 "-" "-"
    125.122.29.186 - - [22/Jun/2008:21:27:31 +0800] "\xe3\x85" 501 290 "-" "-"
    125.122.29.186 - - [22/Jun/2008:21:31:41 +0800] "\xe3\x85" 501 290 "-" "-"
    218.74.209.100 - - [22/Jun/2008:21:44:07 +0800] "\xe3\x8d" 501 290 "-" "-"
    125.46.17.29 - - [22/Jun/2008:21:59:08 +0800] "\xd5\xaa#" 501 291 "-" "-"
    58.60.115.61 - - [22/Jun/2008:22:37:53 +0800] "\xe3\x89" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:22:39:02 +0800] "f\xa6." 501 291 "-" "-"
    221.131.73.170 - - [22/Jun/2008:22:44:29 +0800] "\xcexx" 501 291 "-" "-"
    116.62.64.16 - - [22/Jun/2008:22:46:41 +0800] "\xe3\x88" 501 290 "-" "-"
    116.62.64.16 - - [22/Jun/2008:22:59:05 +0800] "\xe3\x88" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:22:59:26 +0800] "\xe3\x89" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:01:07 +0800] "[Y\x10" 501 291 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:01:35 +0800] "\xe3\x85" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:03:07 +0800] "\xe3\x89" 501 290 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:05:15 +0800] "\xe3\x85" 501 290 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:06:15 +0800] "K\xe9=" 501 291 "-" "-"
    116.62.64.16 - - [22/Jun/2008:23:08:02 +0800] "\xe3\x88" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:16:38 +0800] "\xe3\x89" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:21:35 +0800] "\xe3\x89" 501 290 "-" "-"
    123.121.199.244 - - [22/Jun/2008:23:24:16 +0800] "\x11\xd0\x1e" 501 291
    "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:28:04 +0800] "\xe3\x85" 501 290 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:29:06 +0800] "\xd11/" 501 291 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:30:14 +0800] "\xe3\x85" 501 290 "-" "-"
    60.13.52.73 - - [22/Jun/2008:23:37:51 +0800] "\xab[s" 501 291 "-" "-"
    116.227.246.33 - - [22/Jun/2008:23:39:36 +0800] "\xcc\xbbJ" 501 291 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:40:55 +0800] "\xe3\x89" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:47:21 +0800] "y\xce]" 501 291 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:50:21 +0800] "\xe3\x85" 501 290 "-" "-"
    58.60.115.61 - - [22/Jun/2008:23:50:29 +0800] "\xe3\x89" 501 290 "-" "-"
    125.46.17.29 - - [22/Jun/2008:23:51:25 +0800] "(\xc2b" 501 291 "-" "-"

    125.46.17.29 - - [23/Jun/2008:00:05:17 +0800] "\xe3\x85" 501 290 "-" "-"
    125.46.17.29 - - [23/Jun/2008:00:06:18 +0800] "\xb2\xdf^" 501 291 "-" "-"
    125.46.17.29 - - [23/Jun/2008:00:07:23 +0800] "\xe3\x85" 501 290 "-" "-"
    125.46.17.29 - - [23/Jun/2008:00:11:24 +0800] "\xe3\x85" 501 290 "-" "-"
    87.102.19.207 - - [23/Jun/2008:00:14:26 +0800] "\xa2\x18}" 501 291 "-" "-"
    79.153.18.61 - - [23/Jun/2008:00:35:25 +0800] "\xa4}`" 501 291 "-" "-"
    218.94.124.42 - - [23/Jun/2008:01:00:04 +0800] "wUx" 501 291 "-" "-"
    87.102.19.207 - - [23/Jun/2008:01:00:17 +0800] "\xc8o7" 501 291 "-" "-"

  2. Re: apache being attacked

    In article , Terry wrote:

    > Hi, everyone,
    > My apache server is being abused by malicious requests. Bottom is just
    > part of the apache access log. These abusing request may generate by
    > several persons, or by one person using a hacker network, I guess. Is
    > there a hacker union or something like that in which members can use all


    Yes, they're called "botnets". This is why hackers put out all those
    viruses, they allow them to turn millions of computers around the
    Internet into "zombies" that they can use to mount attacks like this.

    > others' boxes to do nasty things or experiments? Is there a way to avoid
    > being abused like this.


    You can put a firewall in front of your web server, and it should filter
    out totally invalid requests like these.

    >
    > Thank you.
    >
    >
    >
    > 218.85.33.119 - - [22/Jun/2008:20:17:39 +0800] "\xe3\x89" 501 290 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:21:49 +0800] "\xe3\x89" 501 290 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:22:51 +0800] "P\xe9o" 501 291 "-" "-"
    > 88.164.173.95 - - [22/Jun/2008:20:23:23 +0800] "\xe2OO" 501 291 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:23:55 +0800] "\xe3\x89" 501 290 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:28:13 +0800] "\xe3\x89" 501 290 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:29:18 +0800] "\xfd\xfa$" 501 291 "-" "-"
    > 218.85.33.119 - - [22/Jun/2008:20:30:20 +0800] "\xe3\x89" 501 290 "-" "-"
    > 202.114.103.66 - - [22/Jun/2008:21:03:18 +0800] "\xe2\xd4i" 501 291 "-" "-"
    > 218.74.209.100 - - [22/Jun/2008:21:20:33 +0800] "\xe3\x8d" 501 290 "-" "-"
    > 125.122.29.186 - - [22/Jun/2008:21:27:31 +0800] "\xe3\x85" 501 290 "-" "-"
    > 125.122.29.186 - - [22/Jun/2008:21:31:41 +0800] "\xe3\x85" 501 290 "-" "-"
    > 218.74.209.100 - - [22/Jun/2008:21:44:07 +0800] "\xe3\x8d" 501 290 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:21:59:08 +0800] "\xd5\xaa#" 501 291 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:22:37:53 +0800] "\xe3\x89" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:22:39:02 +0800] "f\xa6." 501 291 "-" "-"
    > 221.131.73.170 - - [22/Jun/2008:22:44:29 +0800] "\xcexx" 501 291 "-" "-"
    > 116.62.64.16 - - [22/Jun/2008:22:46:41 +0800] "\xe3\x88" 501 290 "-" "-"
    > 116.62.64.16 - - [22/Jun/2008:22:59:05 +0800] "\xe3\x88" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:22:59:26 +0800] "\xe3\x89" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:01:07 +0800] "[Y\x10" 501 291 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:01:35 +0800] "\xe3\x85" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:03:07 +0800] "\xe3\x89" 501 290 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:05:15 +0800] "\xe3\x85" 501 290 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:06:15 +0800] "K\xe9=" 501 291 "-" "-"
    > 116.62.64.16 - - [22/Jun/2008:23:08:02 +0800] "\xe3\x88" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:16:38 +0800] "\xe3\x89" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:21:35 +0800] "\xe3\x89" 501 290 "-" "-"
    > 123.121.199.244 - - [22/Jun/2008:23:24:16 +0800] "\x11\xd0\x1e" 501 291
    > "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:28:04 +0800] "\xe3\x85" 501 290 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:29:06 +0800] "\xd11/" 501 291 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:30:14 +0800] "\xe3\x85" 501 290 "-" "-"
    > 60.13.52.73 - - [22/Jun/2008:23:37:51 +0800] "\xab[s" 501 291 "-" "-"
    > 116.227.246.33 - - [22/Jun/2008:23:39:36 +0800] "\xcc\xbbJ" 501 291 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:40:55 +0800] "\xe3\x89" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:47:21 +0800] "y\xce]" 501 291 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:50:21 +0800] "\xe3\x85" 501 290 "-" "-"
    > 58.60.115.61 - - [22/Jun/2008:23:50:29 +0800] "\xe3\x89" 501 290 "-" "-"
    > 125.46.17.29 - - [22/Jun/2008:23:51:25 +0800] "(\xc2b" 501 291 "-" "-"
    >
    > 125.46.17.29 - - [23/Jun/2008:00:05:17 +0800] "\xe3\x85" 501 290 "-" "-"
    > 125.46.17.29 - - [23/Jun/2008:00:06:18 +0800] "\xb2\xdf^" 501 291 "-" "-"
    > 125.46.17.29 - - [23/Jun/2008:00:07:23 +0800] "\xe3\x85" 501 290 "-" "-"
    > 125.46.17.29 - - [23/Jun/2008:00:11:24 +0800] "\xe3\x85" 501 290 "-" "-"
    > 87.102.19.207 - - [23/Jun/2008:00:14:26 +0800] "\xa2\x18}" 501 291 "-" "-"
    > 79.153.18.61 - - [23/Jun/2008:00:35:25 +0800] "\xa4}`" 501 291 "-" "-"
    > 218.94.124.42 - - [23/Jun/2008:01:00:04 +0800] "wUx" 501 291 "-" "-"
    > 87.102.19.207 - - [23/Jun/2008:01:00:17 +0800] "\xc8o7" 501 291 "-" "-"


    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  3. Re: apache being attacked

    In article ,
    Barry Margolin wrote:

    >> My apache server is being abused by malicious requests. Bottom is just


    >Yes, they're called "botnets". This is why hackers put out all those
    >viruses, they allow them to turn millions of computers around the
    >Internet into "zombies" that they can use to mount attacks like this.
    >
    >> others' boxes to do nasty things or experiments? Is there a way to avoid
    >> being abused like this.

    >
    >You can put a firewall in front of your web server, and it should filter
    >out totally invalid requests like these.


    I would emphatically not give that advice for more than one reason:

    - If your HTTP server is so fragile or otherwise vulnerable that it
    cannot handle total invalid requests from the Internet like
    those, then it must *never* exposed even to a non-trivial network
    behind firewalls. Non-trivial private networks have insider bad
    guys. Firewalls cannot and do not make insecure systems secure.
    If you can't trust your web server, then you should turn it off.

    - You can justify using firewalls to block traffic to systems that should
    not be seen by the outside network as an extra layer of protection.
    For example, you might block all Microsoft protocols at your external
    firewall or all HTTP traffic to IP addresses that should not be answering
    ports 80 and 443 just in case an accident happens and an insecure
    HTTP server is started where it shouldn't be running.

    - If your firewall could really recognize all valid requests without
    significantly reducing security (consider HTTP/TLS), then common
    sense says that your firewall *be* your web server. On the other
    hand, universal experience with too smart by half firewalls shows
    that they never understand all of the oddities of application
    protocols. Contrary to claims of the salescritters from the Evil
    Empire and the many wannabe evil empires, firewalls can recognize
    port numbers and sometimes do most of what's need for NAT, but they
    *always* mess up the details and odd cases, if not today then in the
    next revision of the protocol.


    Far better advice is dealing with stangeness in your logs is to try
    to figure out the bad guys' goal, and then ensure that your web HTTP
    server is secure against whatever it is. I guess asking here qualifies
    as trying to figure out the point of an attack, but it has some
    disadantages. In the last week I've noticed a new kind of strangeness
    in some Apache2 httpd-error.log files. I've been unable to find any
    explanations, but I hesitate to ask in public about them in case I'd
    be announcing a vulernability in my own systems.


    Vernon Schryver vjs@rhyolite.com

  4. Re: apache being attacked

    Thanks for you two's valuable responses. IMHO, a firewall should only
    see data flow below application layer for that:
    1. an application will eventually analyze the corresponding package; the
    firewall should not do a redundancy work of that.
    2. design of a firewall for application layer and all layers below seems
    over complicated and performance-costly.
    3. therefore, as Vernon mentioned, an application should take full
    responsibility to secure its work.

    I do have a firewall setup on my box using iptables which filters
    packages with nasty tcp flag combinations, spoof source address and so
    on. As far as I know, iptables can not peek http traffic and their
    request line.


    > Far better advice is dealing with stangeness in your logs is to try
    > to figure out the bad guys' goal, and then ensure that your web HTTP
    > server is secure against whatever it is. I guess asking here qualifies
    > as trying to figure out the point of an attack, but it has some
    > disadantages. In the last week I've noticed a new kind of strangeness
    > in some Apache2 httpd-error.log files. I've been unable to find any
    > explanations, but I hesitate to ask in public about them in case I'd
    > be announcing a vulernability in my own systems.


    Can you see the goal of the attack from the log? The attack is against
    apache 2.2.3. I have just upgraded it.

    Thanks again.

+ Reply to Thread