falconer
By:
falconer

Need help understanding strange traffic...

June 24, 2016 687 views
Security Logging LAMP Stack Apache Ubuntu

Complete rookie would appreciate some edification...

My droplet was up for little more than a couple of hours and I was seeing some strange traffic in the logs:

IP              Request                         Status  Size
37.26.128.179   CONNECT 50na50.net:80 HTTP/1.1  200     12364
37.26.128.179   CONNECT d0na50.net:80 HTTP/1.1  200     12364
37.26.128.179   CONNECT tiras.tk:80 HTTP/1.1        200     12364
37.26.128.179   CONNECT hideface.tk:80 HTTP/1.1 200         12364

Can someone explain why these requests were successful?
What 12k was served?

Should I be worried (do I need to take action?) I already blocked IP in .htaccess

1 Answer

This does not look like a standard apache log format. The full logs (unless the configuration has been altered) would be found in /var/log/apache2/access.log and will include the request made (that path or page requested by the client). Since these requests resulted in a 200 status they were for endpoints that exist on your droplet, possibly simply for /. There is not enough information here to know if these were malicious requests but anytime you launch a server on the public Internet it will receive unwanted requests. There are plenty of bots set up to scan large blocks of IP addresses for vulnerable servers.

  • Below is the actual log. I truncated the original post for readability...

    37.26.128.179 - - [23/Jun/2016:19:57:54 -0700] "CONNECT tiras.tk:80 HTTP/1.1" 200 12329 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
    37.26.128.179 - - [23/Jun/2016:19:57:59 -0700] "CONNECT hideface.tk:80 HTTP/1.1" 200 12328 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

    I hadn't seen a "CONNECT" request before... have since setup fail2ban to catch these. Would still like to understand why it was successful and received 12k of data.

Have another answer? Share your knowledge.