Apache (internal dummy connection) flooded logs

[SalvadorS]

Hello,

I have a Debian 6 box, with Plesk 11.0.9 nearly 300 domains and I can see in /var/log/other_vhosts_access.log hundreds these lines:

server.domain.org:80 ::1 - - [12/Aug/2013:12:13:45 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:47 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:48 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:49 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:50 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:51 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:13:52 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:01 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:05 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:06 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:09 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:10 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:14 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:15 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:16 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:17 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:18 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:19 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:26 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:27 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:28 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:37 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"
server.domain.org:80 ::1 - - [12/Aug/2013:12:14:38 +0200] "OPTIONS * HTTP/1.0" 200 136 "-" "Apache (internal dummy connection)"

And the load of the box is too high...

Any ideas?

 

[Ehud]

Hi SalvadorS,

To the best of my understanding these are records of the Apache2 server being accessed via IP. This could be local server owns access, or others trying to access your server that way. The log file is:

other_vhosts_access.log

See that log listed on the Plesk Support KB article:

https://support.plesk.com/hc/en-us/articles/12377744787991-Plesk-for-Linux-services-logs-and-configuration-files

Debian/Ubuntu

Logs
Global logs:
Access log: /var/log/apache2/access.log
Error log: /var/log/apache2/error.log
Domain logs:
Access logs:
HTTP log: /var/www/vhosts/system/<domain_name>/logs/access_log
HTTPS log: /var/www/vhosts/system/<domain_name>/logs/access_ssl_log
Requests to IP addresses: /var/log/apache2/other_vhosts_access.log
Error log: /var/www/vhosts/system/<domain_name>/logs/error_log

I have implemented a fail2ban jail to block 403 of none server's IP access such request.

Note:

1) Make sure server's all IPs are white listed on Fail2ban, including localhsot IP 127.0.0.1 BEFORE any such ban placed.

2) I have created a cron job to link the Apache2 log file to a Pleks accessed log:

ln -f /var/log/apache2/other_vhosts_access.log /var/www/vhosts/example.com/logs/other_log && chmod 644 /var/www/vhosts/example.com/logs/other_log

3) I have placed a failregex to a jail which has that above linked log file in its log files scanned

.*:(80|443) <HOST> .*403.*

4) I have tested to see it's well blocking:

# fail2ban-regex /var/www/vhosts/example.com/logs/other_log httpd_forbidden --print-all-matched

Running tests
=============

Use   failregex filter file : httpd_forbidden, basedir: /etc/fail2ban
Use      datepattern :  : Default Detectors
Use         log file : /var/www/vhosts/example.com/logs/other_log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 4 total
|-  #) [# of hits] regular expression
|  11) [4] .*:(80|443) <HOST> .*403.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [7] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 7 lines, 0 ignored, 4 matched, 3 missed
[processed in 0.03 sec]

|- Matched line(s):
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [01/May/2023:09:22:33 +0300] "GET / HTTP/1.0" 403 5589 "http://<server_public_ip_was_here>.59/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [01/May/2023:19:22:02 +0300] "GET / HTTP/1.0" 403 5141 "http://<server_public_ip_was_here>.59:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [03/May/2023:01:22:15 +0300] "GET / HTTP/1.0" 403 5589 "-" "-"
|  default-<server_private_ip_was_here>:443 <attacking_ip_was_here> - - [03/May/2023:01:22:18 +0300] "GET / HTTP/1.0" 403 5589 "http://<server_public_ip_was_here>.59" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)"
`-
|- Missed line(s):
|  plesk-service.localdomain:80 127.0.0.1 - - [02/May/2023:00:00:09 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"
|  plesk-service.localdomain:80 127.0.0.1 - - [02/May/2023:18:53:20 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"
|  plesk-service.localdomain:80 127.0.0.1 - - [03/May/2023:00:00:07 +0300] "HEAD / HTTP/1.1" 200 274 "-" "-"

5) I have restarted fail2ban + Apache2 + PHP + nginx:

service fail2ban restart

systemctl restart apache2
systemctl restart nginx
systemctl restart plesk-php82-fpm

 

[Ehud]

Hi @SalvadorS,

You may also read more about this kind of attack, attempt at exploiting the shellshock vulnerability, over here:

modsecurity – John D's Tech

New, in your face, malware attacks me: /Ringing.at.your.dorbell! - Dog Is My Copilot

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole. This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good...

www.skepticism.us