9

Most of the time when I am looking for 404 errors in my access.log, I see attempts to access something like /phpMyAdmin/scripts/setup.php. This does not bother me so much, but few days ago I was surprised because I saw this in my access.log

95.47.119.124 - - [19/Aug/2013:11:30:31 +0000] "GET http://server7.cyberpods.net/azenv.php HTTP/1.1" 404 3080 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)"
223.220.68.129 - - [21/Aug/2013:00:55:46 +0000] "GET http://www.baidu.com/ HTTP/1.1" 404 3080 "http://www.baidu.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

What surprises me is that someone is trying to access not some relevant URL on my domain, but something absolutely different.

I have two questions:

  1. How are they doing it?
  2. What is the reason behind it?
Salvador Dali
  • 1,745
  • 1
  • 19
  • 32

2 Answers2

10

welcome to the intertubes!!!

What is the reason behind it?

what you see are scans for open proxies, e.g. someone is looking if he/she/it can misuse your server to browse other sites.

the first one looks very interesting, because it looks like a scanner; when checking the link (please DONT click on that with a browser), it will give back:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>AZ Environment variables 1.04</title> </head><body><pre>
HTTP_USER_AGENT = Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)
HTTP_HOST = server7.cyberpods.net
HTTP_CACHE_CONTROL = max-age=43200
HTTP_CONNECTION = keep-alive
REMOTE_ADDR = 80.226.24.11
REMOTE_PORT = 45993
REQUEST_METHOD = GET
REQUEST_URI = /azenv.php
REQUEST_TIME = 1377237144

How are they doing it?

by using tools and issuing the GET-request directly

no magique at all :)

btw, get used to it, install stuff like ossec and you'll see a lot more scanners brute-forcing your website for wp/phpmyadmin/joomla - whatever-eyploits all day long

that guy from over there
  • 3,476
  • 17
  • 26
  • Thank you very much. Can you please tell why should not I click at that link (because I have done it :-) ). I did via TOR. P.S. up till now I have seen a lot of thing targeting drupal/joomla, but I knew what they are trying to achieve. This one was absolutely new to me, and I did not have a clue. That's why I have asked a question. – Salvador Dali Aug 23 '13 at 11:21
  • 1
    i checked the the httx://server7.cyberpods.net/azenv.php and it seems [legit](http://web.freerk.com/proxyjudge/azenv.htm). nevertheless, never click on anything you find in logfiles (except for known stuff like baidu or so) btw, tor doesnt protect your from browser-exploits :) over the time you'll see more strange scanner-stuff like /w00tw00t.at....:) that floats around since a long time and still is active. – that guy from over there Aug 23 '13 at 14:44
  • I already saw a lot of w00tw00ts :-). Can you please tell me what should I do if I see some strange URLs in logs? How have you obtained that info (which I obtained through TOR) – Salvador Dali Aug 23 '13 at 15:29
0

The IP address that a browser sends a request to usually matches the FQDN in the request header. That's because a browser normally gets the IP address by performing a DNS query for the FQDN. In this case, someone is simply sending a request for some other page to your IP address.

Where this normally comes into play is when a single IP address hosts multiple websites. Several FQDNs all resolve to the same IP address in such cases. The request header with the URL being requested is how the server at that single IP address knows which page to serve.

As for the reason behind it, it could be for a variety of reasons, from the unintentional to the nefarious. It could be someone has a host entry that maps the other site's FQDN to your IP address, or it could be someone probing your server to see if it checks the site name in the request header or if it's only configured for one site and doesn't bother checking the header.

To sum up, if you're not worried about probes to non-existent directories, don't worry about non-existent hosts either...

petiepooo
  • 117
  • 5
  • 1
    you're wrong. it's plain old open-proxy-scanning, you CANNOT execute a GET httx://blah.org via a usual browser. – that guy from over there Aug 23 '13 at 06:18
  • Perhaps I should be more clear that I'm using "browser" in the sense of a generic http client, which can include proxies and crawlers... – petiepooo Aug 23 '13 at 07:30
  • 2
    you're still wrong about FQDN/dns/virtual-host-errors. [see here](http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Client_request) for an example of how a GET - request looks like with the Host - Field – that guy from over there Aug 23 '13 at 08:27