1

Essentially I have a webcam set up at home to record movement, and I set up a basic Apache server so that I can externally access said videos stored.

The server is running on my laptop and I have port fowarded the laptops ip to port 80, I then set up dynamic dns so that I can access the same domain name regardless of whether my ip changes.

It had been running a day when I checked the access logs and saw some really suspicious activity: http://pastebin.com/a8xSALaJ sorry for the length, I didn't want to cut out anything subtly important..

My Apache configuration is literally default, with the document root at /var/www/html

I have 3 questions:

1 - Is there anything malicious in the logs/what was the attacker trying to do (there is one very suspicious log at line 152 

access.log:1203:74.217.28.153 - - [19/Feb/2016:05:36:48 +0000] "GET http://pastebin.com/raw.php?i=GNsjKYy5 HTTP/1.1" 404 442 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

2 - How can I prevent this type of attack in the future

3 - How on earth did this person find my ip at all? I certainly didn't publicize it...

As you can tell my networking knowledge is fairly basic but I would really like to learn more, so any information would be greatly appreciated !

UPDATE

Since posting this I noticed something particularly concerning -- not sure if this is related, tried to do an apache2 --version:

apache2 --version
[Sat Feb 20 18:24:19.273672 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Sat Feb 20 18:24:19.273756 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Sat Feb 20 18:24:19.273778 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Sat Feb 20 18:24:19.273796 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Sat Feb 20 18:24:19.273826 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276425 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276615 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276641 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}
William Paul
  • 121
  • 2

1 Answers1

1

The answer to your first question is that it is hard to say what kind of "attack" is occuring or what the attacker is trying to accomplish.

If you look at the entry the log is showing you that something is simply requesting a web page. If you go to that webpage it contains the text string formyproxycheckerandyquezhasabigdick.

If we Google the URL that is being requested by your server we find a number of web sites that report seeing this URL being requested.

It appears this is used to scrape and filter proxies.

http://pastebin.com/Qhb1eWXU http://urlquery.net/report.php?id=1453470052748

I would seek assistance finding and removing any malware on that computer.

Now for your second question it looks like those log entries are related to running Apache directly. When you want to start Apache try using the command below.

sudo service apache2 start

Apache2 config variable is not defined

You asked how someone could have found your equipment. To be honest if you have ports open on your gateway device someone will probably find it. If you have never heard of Shodan, you should Google it so you understand what is happening and how it can effect you.

Never open ports unless you need to, always block port scans, and never leave default passwords on any device you connect to the Internet.

Community
  • 1
user5870571
  • 2,900
  • 2
  • 11
  • 33
  • What insinuates that there is actually malware on the computer? it is a laptop that I have wiped and installed linux mint on, with apache and motion and no-ip2. Literally nothing else – William Paul Feb 20 '16 at 21:41
  • You just posted a log of an Apache server that shows requests being made that you aren't making that you think are suspicious. I'm not sure what other advise you are looking for. – user5870571 Feb 20 '16 at 21:44
  • It is a proxy scrapper possibly written by Andy Quez. If you didn't install software that is legitimately calling the proxy scraper and you aren't requesting the web page that is identified in the log then that is a pretty good indication something is on your computer that shouldn't be. Research the programs you installed. If the script is legitimately part of one of those programs then this isn't an "attack" it is just the software doing what it is designed to do. Otherwise, you should look into what is running the script. – user5870571 Feb 20 '16 at 21:47
  • Is it possible that laptop has been infected purely due to the fact it is on my home network? :( – William Paul Feb 20 '16 at 21:47
  • It is possible for viruses to spread over the network but now you are talking about an linux mint computer being infected. It isn't impossible but it isn't common. You probably have something installed that is making the request but again there is no way for me to tell you what on your computer is requesting the web page. – user5870571 Feb 20 '16 at 21:49
  • would it be the ddns programme I have running? no-ip2 – William Paul Feb 20 '16 at 21:58
  • It could be but I don't know. Try disabling it and then checking your log file. – user5870571 Feb 20 '16 at 22:33
  • OK cheers for the help – William Paul Feb 22 '16 at 11:14