Hi list,
I've experienced strange entries in the transfer.log of my apache 1.3.23. This apache is protected via .htaccess files and is the only service I provide to selected users.
The entries look like this:
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:01:29 +0100] "GET / HTTP/1.1" 401 494 65.166.64.132 - - [31/Jan/2004:00:01:30 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:09:00 +0100] "GET / HTTP/1.1" 401 494 217.169.46.98 - - [31/Jan/2004:00:09:01 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:17:41 +0100] "GET / HTTP/1.1" 401 494 65.245.128.68 - - [31/Jan/2004:00:17:42 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd is the ip of one of my users who is just accessing the htaccess-dialog. Every request that is made, is doubled from a different ip. If the user logs in with a valid account then the "doubled" request gets a 401.
Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
Regards, Andreas
On Friday 30 January 2004 14:51, Andreas Jägermann wrote:
Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
I'm guessing your user has spyware on his machine. If its windows he should try spybot search and destroy or adaware.
On Friday 30 January 2004 14:51, Andreas Jägermann wrote:
Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
I'm guessing your user has spyware on his machine. If its windows he should try spybot search and destroy or adaware.
This was my first thought, too. But spybot and an additional virus scan did not produce any significant result.
Andreas
On Saturday 31 January 2004 02:10, Andreas Jägermann wrote:
On Friday 30 January 2004 14:51, Andreas Jägermann wrote:
Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
I'm guessing your user has spyware on his machine. If its windows he should try spybot search and destroy or adaware.
This was my first thought, too. But spybot and an additional virus scan did not produce any significant result.
If it is limited to that single user it would have to be somewhere on his end, or along the route to you. Perhaps a traceroute from his end would reveal something - maybey a caching proxy server between him and you.
Also a netstat -an from his machine immediatly (within a second) of requesting a page on your site might reveal odd connections to some other site.
If you ever figure it out besure to post here as this is quite interesting.
Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
I'm guessing your user has spyware on his machine. If its windows he should try spybot search and destroy or adaware.
This was my first thought, too. But spybot and an additional virus scan did not produce any significant result.
If it is limited to that single user it would have to be somewhere on his end, or along the route to you. Perhaps a traceroute from his end would reveal something - maybey a caching proxy server between him and you.
Also a netstat -an from his machine immediatly (within a second) of requesting a page on your site might reveal odd connections to some other site.
If you ever figure it out besure to post here as this is quite interesting.
I gathered some additional info on this topic: I'm running different webservers (virtual hosts) on one ip address. If the "supicious" user connects to server A the request is doubled. At host B not. Another user connecting to host A show _no_ doubled request, too. This problem only occurs if this specific user connects to host A.
I reviewed all scripts (.php, .cgi) and their rights on host A but I didn't find any suspicous changes. If this problem would be related to this user than it must occur on every host he connects to. If it is related to my host A than it should occur with every user.
My paranoia is still rising :)
Any clues?
Regards Andreas
Hello,
Am Montag, 02. Februar 2004 15:02 schrieb Andreas Jägermann: [...]
I gathered some additional info on this topic: I'm running different webservers (virtual hosts) on one ip address. If the "supicious" user connects to server A the request is doubled. At host B not. Another user connecting to host A show _no_ doubled request, too. This problem only occurs if this specific user connects to host A.
Just a try: Maybe the user's browser has cached a "wrong" username/password set. Try using another browser the user has never used before or clear all password caches.
Sniffing the network packets and looking for the username and password being sent could make things clearer.
Yours,
Christian Boltz
Andreas Jägermann wrote:
The entries look like this: aaa.bbb.ccc.ddd - - [31/Jan/2004:00:01:29 +0100] "GET / HTTP/1.1" 401 494 65.166.64.132 - - [31/Jan/2004:00:01:30 +0100] "GET / HTTP/1.1" 401 494
Any hint is appreciated.
Lookup corresponding lines in the error_log.
The entries look like this: aaa.bbb.ccc.ddd - - [31/Jan/2004:00:01:29 +0100] "GET /
HTTP/1.1" 401 494
65.166.64.132 - - [31/Jan/2004:00:01:30 +0100] "GET / HTTP/1.1" 401 494
Any hint is appreciated.
Lookup corresponding lines in the error_log.
There's nothing in the error.log that corresponds to the suspicous tranfer.log entries. At this moment I decided to disconnect the server from the internet because I'm not able to locate the source of this misbehaviour. I'll then do a fresh install of a SuSE 9.0 and reconfigure and restart any service I'm using now.
This whole thing won't let me come to sleep at night.
I'm sorry that I can't present any solution to you.
Regards, Andreas
-
Andreas Jägermann -
Christian Boltz -
John Andersen -
Peter Wiersig