Webserver Access Log Help

[staroflaw]

I have just noticed I am getting a lot of requests that look like this.

174.133.29.34 - - [17/Jul/2011:19:21:57 +0100] "POST http://yourinfo.any-request-allowed.com/ HTTP/1.1" 302 2 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

174.133.29.34 - - [17/Jul/2011:19:21:57 +0100] "GET http://yourinfo.any-request-allowed.com/phpbb3/ HTTP/1.1" 200 24086 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

64.120.177.26 - - [17/Jul/2011:19:48:28 +0100] "POST http://yourinfo.any-request-allowed.com/ HTTP/1.1" 302 2 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

64.120.177.26 - - [17/Jul/2011:19:48:29 +0100] "GET http://yourinfo.any-request-allowed.com/phpbb3/ HTTP/1.1" 200 24088 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

I have had over 100 today.

Can anyone shed any light on what it is?

I also got the same a few weeks ago, I just blocked the IP.

Ime using an XP box with Apache 2.2.17.

I know I could just block it, But would like to know what is happening.

This is what info I get from http://yourinfo.any-request-allowed.com/

Array

(

[REDIRECT_SCRIPT_URL] => /

[REDIRECT_SCRIPT_URI] => http://yourinfo.any-request-allowed.com/

[REDIRECT_STATUS] => 200

[sCRIPT_URL] => /

[sCRIPT_URI] => http://yourinfo.any-request-allowed.com/

[HTTP_HOST] => yourinfo.any-request-allowed.com

[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

[HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5

[HTTP_ACCEPT_ENCODING] => gzip, deflate

[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7

[HTTP_KEEP_ALIVE] => 115

[HTTP_DNT] => 1

[HTTP_CONNECTION] => keep-alive

[PATH] =>

[sERVER_SIGNATURE] => <address>Apache Server at yourinfo.any-request-allowed.com Port 80</address>

[sERVER_SOFTWARE] => Apache

[sERVER_NAME] => yourinfo.any-request-allowed.com

[sERVER_ADDR] => 174.133.29.34

[sERVER_PORT] => 80

[REMOTE_ADDR] => XXX.XXX.XXX.XXX

[DOCUMENT_ROOT] =>

[sERVER_ADMIN] => root@localhost

[sCRIPT_FILENAME] =>

[REMOTE_PORT] => 4148

[REDIRECT_URL] => /

[GATEWAY_INTERFACE] =>

[sERVER_PROTOCOL] => HTTP/1.1

[REQUEST_METHOD] => GET

[QUERY_STRING] =>

[REQUEST_URI] => /

[sCRIPT_NAME] => /index.php

[php_SELF] => /index.php

[REQUEST_TIME] => 1308454907

)

Array

(

)

Thanks - Mick

Edited July 17, 2011 by staroflaw

[Scorpion]

http://serverfault.com/questions/261849/unusual-traffic-to-my-webserver-asking-for-myinfo-any-request-allowed-com

has an answer to it, but i would say the same thing it is just scanning your host. I've had a uni trying to get in on my FTP one time 100 requests a day (trying only 2 passes so not to ingauge the block) all i did on that was change the port and it never came back. They do say though it should give up and move on but its all down to the program of when.

[Infiltrator]

According to this website, some script kiddie or a BOT is trying to hack into your webserver

http://www.bizimbal.com/odb/details.html?id=913294

Best thing to do is block the IP and make sure Apache is up to date.

[digip]

If you are running apache on an XP box with PHP, I hope its a virtual machine, and not your main box. If this is your main box, get vmware player and download an apache appliance, move your files to the appliance and sftp into to upload the website files. phpmyadmin, mysql, etc, on things like xampp, on an XP box, will get your machine compromised pretty quickly if its not secured. If you need to have a webserver from home exposed to the internet for your own use, or whatever the purpose is though, do the virtual appliance setup and make a snapshot of your clean install. In the event the VM does get popped, you can then at least revert back to a saved state and not have to worry about the host machine its on getting popped. Although, it is possible to escape out of a VM to the host machine, that would be 10 fold harder than popping the host machine running the webserver natively itself.

Edited July 18, 2011 by digip

[staroflaw]

Thanks for all your comments.

I run the XP box on a ESXi server and make weekly snapshots.

I have upgraded to Apache 2.2.19, Blocked the offending IP addresses and sent an Abuse email to the service provider of the IP addresses.

This is a Email I got back from one of the provider's

Hello,

Please provide us with an excerpt of logs (5-10 entries in text format) of this activity so we can relay this complaint to our customer who is ultimately responsible for the IP address in question. Thank you

Not that is makes any difference now, But surly the service provider is ultimately responsible for the IP address as they host it?

To answer my own question - Looking at the TOS and AUP of the provider they do class this type of activity "A Violation" of there TOS/AUP.

Next thing - Should I be worried that I was getting "302(Found) on POST" and "200(OK) on GET"?

Thanks again.

Mick

Edited July 19, 2011 by staroflaw