[RndTbl] weird apache hit

Tim Lavoie tim at fractaldragon.net
Mon Feb 17 23:18:18 CST 2020

If you’re up to adding and configuring it, ModSecurity and the community rule set can provide a lot of information. Besides actively preventing some attacks, you can log complete requests, ideally only for the weird traffic.

> On Feb 17, 2020, at 7:03 PM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
> On 2020-02-17 athompso at athompso.net wrote:
>> First thought: what other hits come from that IP address previously?
>> Could it be Redirect or rewrite? -Adam
> The pattern is 2-3 fuzz hits that get 4xx codes like:
> - - [17/Feb/2020:14:59:28 -0600] "\x16\x03\x01" 400 226 "-" "-"
> 80 9-w1.foo.com -
> Then the hit that breaks into /var/www/html
>> On 2020-02-17 Theodore Baschak wrote:
>> Also, you've got the IP and you say they're persistent,
>> tcpdump/tshark some packets to a file and see the contents of the
>> request in more detail?
> I get 4-5 hits total from a single IP, then no more from that IP.  Then
> a while later it'll be the same pattern from another IP.  I have dozens
> of these groups of hits logged, always the similar sequence.  Sometimes
> they just do the \x code hits and not the breakout hit.
> Probably a bot net causing this.
> So I can't easily dump these packets, at least not based on IP.  This is
> a very busy production server so I'm not sure I want to turn on global
> port 80 packet capture... although, most traffic is port 443, so maybe
> it is an option.
> I'm also looking into logging more of the request.  There doesn't seem
> a way to log all headers, but I can log specific ones.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable

More information about the Roundtable mailing list