• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Apache (internal dummy connection) flooded logs

S

SalvadorS

Regular Pleskian
Hello,

I have a Debian 6 box, with Plesk 11.0.9 nearly 300 domains and I can see in /var/log/other_vhosts_access.log hundreds these lines:

Code: 
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:45 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:47 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:48 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:49 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:50 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:51 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:52 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:01 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:05 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:06 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:09 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:10 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:14 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:15 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:16 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:17 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:18 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:19 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:26 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:27 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:28 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:37 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:38 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"

And the load of the box is too high...

Any ideas?
 
Hi SalvadorS,

To the best of my understanding these are records of the Apache2 server being accessed via IP. This could be local server owns access, or others trying to access your server that way. The log file is:

other_vhosts_access.log

See that log listed on the Plesk Support KB article:

Code: 
Debian/Ubuntu

Logs
Global logs:
Access log: /var/log/apache2/access.log
Error log: /var/log/apache2/error.log
Domain logs:
Access logs:
HTTP log: /var/www/vhosts/system/<domain_name>/logs/access_log
HTTPS log: /var/www/vhosts/system/<domain_name>/logs/access_ssl_log
Requests to IP addresses: /var/log/apache2/other_vhosts_access.log
Error log: /var/www/vhosts/system/<domain_name>/logs/error_log

I have implemented a fail2ban jail to block 403 of none server's IP access such request.

Note:

1) Make sure server's all IPs are white listed on Fail2ban, including localhsot IP 127.0.0.1 BEFORE any such ban placed.

2) I have created a cron job to link the Apache2 log file to a Pleks accessed log:

Code: 
ln -f /var/log/apache2/other_vhosts_access.log /var/www/vhosts/example.com/logs/other_log && chmod 644 /var/www/vhosts/example.com/logs/other_log

3) I have placed a failregex to a jail which has that above linked log file in its log files scanned

Code: 
.*:(80|443) <HOST> .*403.*

4) I have tested to see it's well blocking:

Code: 
# fail2ban-regex /var/www/vhosts/example.com/logs/other_log httpd_forbidden --print-all-matched

Running tests
=============

Use   failregex filter file : httpd_forbidden, basedir: /etc/fail2ban
Use      datepattern :  : Default Detectors
Use         log file : /var/www/vhosts/example.com/logs/other_log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 4 total
|-  #) [# of hits] regular expression
|  11) [4] .*:(80|443) <HOST> .*403.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [7] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 7 lines, 0 ignored, 4 matched, 3 missed
[processed in 0.03 sec]

|- Matched line(s):
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [01/May/2023:09:22:33 +0300] "GET / HTTP/1.0" 403 5589 "http://<server_public_ip_was_here>.59/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [01/May/2023:19:22:02 +0300] "GET / HTTP/1.0" 403 5141 "http://<server_public_ip_was_here>.59:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [03/May/2023:01:22:15 +0300] "GET / HTTP/1.0" 403 5589 "-" "-"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [03/May/2023:01:22:18 +0300] "GET / HTTP/1.0" 403 5589 "http://<server_public_ip_was_here>.59" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)"
`-
|- Missed line(s):
|  plesk-service.localdomain:80 127.0.0.1 - - [02/May/2023:00:00:09 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"
|  plesk-service.localdomain:80 127.0.0.1 - - [02/May/2023:18:53:20 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"
|  plesk-service.localdomain:80 127.0.0.1 - - [03/May/2023:00:00:07 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"

5) I have restarted fail2ban + Apache2 + PHP + nginx:

Code: 
service fail2ban restart

systemctl restart apache2
systemctl restart nginx
systemctl restart plesk-php82-fpm
 
Hi @SalvadorS,

You may also read more about this kind of attack, attempt at exploiting the shellshock vulnerability, over here:


New, in your face, malware attacks me: /Ringing.at.your.dorbell! - Dog Is My Copilot

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole. This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good...
www.skepticism.us
 
You must log in or register to reply here.

Similar threads

Azurel
Issue ModSecurity: Issue with Comodo rules set?
Replies
1
Views
2K
Azurel
Azurel
E
Question python code generates apache handler error
Replies
0
Views
1K
elenaflorence
E
T
Forwarded to devs httpsd_access_log swamped by grafana log entries
Replies
2
Views
827
TomBoB
T
S
Issue Can not restart web server / New configuration files for the Apache web server were not created
Replies
2
Views
3K
DRY411S
D
Y
Resolved Apache2 - Broken images load from remote server
Replies
1
Views
5K
yanover
Y
Back
Top