Need help understanding strange traffic...

June 24, 2016 1.5k views
Security Logging LAMP Stack Apache Ubuntu

Complete rookie would appreciate some edification...

My droplet was up for little more than a couple of hours and I was seeing some strange traffic in the logs:

IP              Request                         Status  Size   CONNECT 50na50.net:80 HTTP/1.1  200     12364   CONNECT d0na50.net:80 HTTP/1.1  200     12364   CONNECT tiras.tk:80 HTTP/1.1        200     12364   CONNECT hideface.tk:80 HTTP/1.1 200         12364

Can someone explain why these requests were successful?
What 12k was served?

Should I be worried (do I need to take action?) I already blocked IP in .htaccess

1 Answer

This does not look like a standard apache log format. The full logs (unless the configuration has been altered) would be found in /var/log/apache2/access.log and will include the request made (that path or page requested by the client). Since these requests resulted in a 200 status they were for endpoints that exist on your droplet, possibly simply for /. There is not enough information here to know if these were malicious requests but anytime you launch a server on the public Internet it will receive unwanted requests. There are plenty of bots set up to scan large blocks of IP addresses for vulnerable servers.

  • Below is the actual log. I truncated the original post for readability... - - [23/Jun/2016:19:57:54 -0700] "CONNECT tiras.tk:80 HTTP/1.1" 200 12329 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" - - [23/Jun/2016:19:57:59 -0700] "CONNECT hideface.tk:80 HTTP/1.1" 200 12328 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

    I hadn't seen a "CONNECT" request before... have since setup fail2ban to catch these. Would still like to understand why it was successful and received 12k of data.

Have another answer? Share your knowledge.