• Post Reply Bookmark Topic Watch Topic
  • New Topic

Strange request on my Linux server  RSS feed

 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have my application hosted on a virtual server from a service provider and my web application is running on it. Recently I added additional logging facilities just for tracking down the usage of my web app. All of a sudden, I see the following in my log file. Now sure who this was and how it managed to access my Web app with that URL:



Any ideas as to how I could prevent this? Should I check this with my service provider? Should I consider this as some sort of sniff or attack?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In what kind of log did that show up? What kind of information is this particular piece of data? TellTheDetails
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm just using the application framework's API to get information from the request object. From the request object, I get and print the remote host, request path, user-agent and many others and route them all to a rolling log file. I wanted to check my log file and I saw two lines that had the String that I posted above as the request path. Why would anyone call with such a request path?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Might be someone who wants to have fun. Or it might be an attacker. Have you googled it?
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have got some additional information from my log files:


All of those above requests returned a 404.

I do not know which idiot would want something from my virtual server. I guess I might be able to at least prevent such requests coming to my web app by having an Apache server that would filter such strange requests. I might have to check with my service provider and I will report this incident with them.
 
Tim Cooke
Marshal
Posts: 4044
239
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Joe, please take Ulf's advice and Google it. I've just done a search for your w00tw00t log entry and found tons of information about it. I'm guessing you have not done this yourself yet, or you'd likely not be here asking about it.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I did google for it even before posting it here at Javaranch. The general advice was to put some sort of check in the Apache server which I have to check with my service provider.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So here is another one. Looks like a search spider:

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Requests for non-existent PHP pages are most likely attacks. Not sure what you think your provider can do about that. For any web site you make public - no matter what technology - you need to follow best security practices anyway.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree with you. Can you offer me some advices on how to secure my website? All I have is some articles, practice exams. I'm not sure what an attacker would get hacking through my website. I'm now exploring more on what I could do to prevent my content against such attacks.
 
Ron McLeod
Bartender
Posts: 1602
232
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Joe Harry wrote:http://www.baidu.com/search/spider.html

Baidu is a Chinese Google-like search engine - it is not performing an attack, just just indexing your site. I'm sure if you check your logs you will also see crawlers from Google, Bing, Yahoo, Yandex, etc. doing the same.

The other things you are finding are from scanners looking for security vulnerabilities in your server.
 
Tim Holloway
Saloon Keeper
Posts: 18793
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
/w00tw00t is a definite sign that someone (or more likely some-bot) is attempting to crack into your system. It has to do with an old computer game exploit. Likewise spurious requests for stuff like "phpaddmin".
The exact list of invasive URLs is enormous, and gets bigger everytime a new exploit is discovered.

I get literally thousands of attack attempts every day on my production servers. The Internet is a cruel place.

As long as the bogus requests are being bounced, you're OK. If they start coming from one particular place, then it can be useful to firewall out that source. In fact, literally thousands of IP addresses belonging to HINET are on my blacklist, since they have no scruples about selling accounts to every would-be vandal and spammer on the Internet to the point where it's worthless to try and let their honest users (assuming there are any) get through.

One useful tool is fail2ban, which can be installed as a system package on many Linux distros. The fail2ban tool will track various logs and add firewall rules automatically to block attackers before they can make a major nuisance of themselves.

Generally speaking, a lot of this stuff is DDOS-style, meaning that instead of one big pain that you can block, you're getting botnet assaults from thousands of pwned fools. About the only thing you can really do in cases like that is block the obviously-bad URLs and avoid adding to the problem by keeping your own machines malware-proofed.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All what my application does is to return a 404 in cases where it cannot match a specific URL request. Should that be enough? or should I consider using fail2ban?
 
Tim Holloway
Saloon Keeper
Posts: 18793
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The 404 is the important part. Fail2ban works by monitoring the logs, so seeing the "404"s is what triggers it to add firewall rules. Mostly that just blacklists the would-be assailant for an extended period of time so that if they're attempting lots of different attack URLs, they'll be prevented from trying the next one on their list for 12 hours or so.
 
Dieter Quickfend
Bartender
Posts: 543
4
Java Netbeans IDE Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the simplest thing to do is use a proxy that routes every request to a simple cached HTML error page except for a whitelist of requests that you want to allow. It's easier to secure everything when you know exactly what you have to secure.
 
Ron McLeod
Bartender
Posts: 1602
232
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:seeing the "404"s is what triggers it to add firewall rules

Don't be too aggressive with fail2ban -- browsers may automatically ask for resources which do not exist on your server - you don't want to ban someone legitimately going to your site. Scan through your server logs and see how many times you find requests for favicon.ico or apple-touch-icon.png or others.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here are some more additional requests all resulting in a 404:

 
Ron McLeod
Bartender
Posts: 1602
232
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
IP address 5.200.47.79 belongs to an IT services company in Russia. Most likely something be hosted by them is banging on your site, trying to find a vulnerability. You could just block their entire subnet - 5.200.32.0/20 - to block this threat.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ron McLeod wrote:IP address 5.200.47.79 belongs to an IT services company in Russia. Most likely something be hosted by them is banging on your site, trying to find a vulnerability. You could just block their entire subnet - 5.200.32.0/20 - to block this threat.


Can you please offer me some tips on what I could do to prevent this? One advice that I got from one of the posts is to use fail2ban. Is that what you would also suggest? These requests are getting on my nerves.
 
Ron McLeod
Bartender
Posts: 1602
232
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I use fail2ban for services which require authentication for access (email using POP/IMAP/SMTP, file storage using FTP, VoIP using SIP, etc.), and ban on authentication failure - it works great. If you use it with your site, I would recommend that you configure it to not be too fast to backlist an IP - don't ban after a single 404. 404's happen during legitimate access as well - old bookmarks, bad/old links from forums and search engines, browsers asking for site icons, etc.

For the immeadiate term, if you want to block access from specific IP addresses or blocks of IP address, just enter them manually in to the iptables config file.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You'll probably end up with a variety of Apache modules. mod_rewite can take care of the "bad" URLs being accessed (maybe *.php) assuming you don't use PHP. Not sure if it can handle IP address ranges as well; if not, there's sure to be some other module that can. Check the Apache web site, something may even be pre-installed.
 
Tim Holloway
Saloon Keeper
Posts: 18793
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, there's a mod_secure or something like that for Apache. But fail2ban is a comprehensive tool that can block not only bad URL requesters, but would-be password crackers and a whole lot more. And since it does it by modifying the firewall, the offenders are blocked before they can access the webapp server, much less the applications. I'm a big fan up upstream security myself.

One of the other things that firewall-banning does is keep the load down on the application server. Since the source IP is blocked right as it comes into the machine, the server doesn't have to repel each attack individually, which means less chance of a DOS-style attack succeeding.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Looks like I do not have Apache server on my virtual box. I guess I might have to explore fail2ban and set that up possibly.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!