I have a mystery hit on my apache server that is giving weird results that by config should never happen... and I can't figure it out. What's happening is very rarely a hit will "break out" of the dirs that I think all hits should be limited to. And I can't reproduce it with telnet tests.
Somehow a hit is getting access to /var/www/html/ when that should be impossible. Yes, it's my document root in the global area, but immediately in my virtualhost for that IP and port I redefine docroot to a sub dir of that. There should be no way someone can hit the site and get to the original docroot.
Yes, I am probably going to change the default global docroot to just be the same as my subdir one in the virthost, but I really want to figure out why the request can break out the way it is.
The only thing weird about the hit, based on my customized logging details, is that they are hitting a ServerAlias of the virthost, which is a bit odd because that particular alias isn't public knowledge (though it's not really hidden either). Oh ya, and the IP is in HK and is trying fuzzing attacks again me.
Here's the hit (IPs/hostnames changed): 1.2.3.4 - - [17/Feb/2020:02:40:07 -0600] "GET / HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 80 9-w1.foo.com /var/www/html/
Note port 80, note the serveralias they hit us with, note the resulting directory /var/www/html
Here's the error it generates: [Mon Feb 17 14:43:13.444291 2020] [autoindex:error] [pid 16365:tid 140334311606016] [client 2.3.4.5:54603] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.phtml,index.html,index.phtml,index.php) found, and server-generated directory index forbidden by Options directive
It's ok it's forbidden (in fact, might have saved my bacon) as I have dirindex forbidden globally. The thing is no hit should ever be trying to find a index.html in /var/www/html!
When I try to recreate the hit to match the above manually with telnet, no matter what I do I can't get the serveralias to match their hit:
telnet foo.com GET / HTTP/1.1 Host: 9-w1.foo.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Gives me a log result which matches what I expect the correct behaviour to be:
50.71.247.87 - - [17/Feb/2020:15:48:21 -0600] "GET / HTTP/1.1" 302 136 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 80 www.foo.com proxy:fcgi://localhost/var/www/html/Foo/Live/index.phtml
What on earth are the other parameters or headers they are passing in that results in a different result than my test? I'm truly stumped. I could try to capture packets of a hit, but the "attacks" only happen 2-3 times a day and always from different IPs in Asia.