On 2020-02-17 athompso@athompso.net wrote:
First thought: what other hits come from that IP address previously? Could it be Redirect or rewrite? -Adam
The pattern is 2-3 fuzz hits that get 4xx codes like: 1.2.3.4 - - [17/Feb/2020:14:59:28 -0600] "\x16\x03\x01" 400 226 "-" "-" 80 9-w1.foo.com -
Then the hit that breaks into /var/www/html
On 2020-02-17 Theodore Baschak wrote:
Also, you've got the IP and you say they're persistent, tcpdump/tshark some packets to a file and see the contents of the request in more detail?
I get 4-5 hits total from a single IP, then no more from that IP. Then a while later it'll be the same pattern from another IP. I have dozens of these groups of hits logged, always the similar sequence. Sometimes they just do the \x code hits and not the breakout hit.
Probably a bot net causing this.
So I can't easily dump these packets, at least not based on IP. This is a very busy production server so I'm not sure I want to turn on global port 80 packet capture... although, most traffic is port 443, so maybe it is an option.
I'm also looking into logging more of the request. There doesn't seem a way to log all headers, but I can log specific ones.