Skip to main content

Question Regarding Apache Access Logs

nootkan
Hello, I am concerned by some logs I have seen lately and need some clarification as to what they mean? Here is one of them: 36.5.71.45 - - [23/Dec/2021:15:36:33 -0800] "GET http://www.soso.com/ HTTP/1.1" 200 163 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
There are others with different websites and some with nothing but the ip and 200 ok status. Does this mean that someone is using my server to send others to the domain in questions or something else more malicious? Is it just a failed attempt that I shouldn't be worried about even though there is a 200 status associated with the get request? I have config server firewall installed on the server along with csx, osm, modsecurity and imunifyAV. I did find this

Comments

9 comments

Date Votes
  • cPanelAnthony
    Hello! The HTTP 200 OK success status response code indicates that the request succeeded. This log entry is perfectly normal and simply indicates a web page was visited. We can break it down like this.
    • 36.5.71.45 is the IP of the visitor
    • 23/Dec/2021:15:36:33 is when it happened
    • "GET" request indicates this IP was requesting information (IE: resolving a website page and requesting the information from it)
    • www.soso.com is the web page that this IP was visiting and made a "GET" request to
    Then there's also information about the type of browser/device that was being used. You shouldn't need to worry about these log entries unless you're seeing thousands of connections from the same IP and are suspicious of some type of DDoS or network attack.
    0
  • nootkan
    Hello! The HTTP 200 OK success status response code indicates that the request succeeded. This log entry is perfectly normal and simply indicates a web page was visited. We can break it down like this.

    Okay, I was concerned because www.soso.com isn't my website and isn't even on the server I manage.
    0
  • quietFinn
    In what log file do you see those lines?
    0
  • nootkan
    In what log file do you see those lines?

    I am seeing those lines in "etc/apache2/logs/access_log" and "var/log/apache2/access_log"
    0
  • quietFinn
    I am seeing those lines in "etc/apache2/logs/access_log" and "var/log/apache2/access_log"

    Those are the same file. AFAIK in that log there is not supposed to be access logs for any domain in your server. :rolleyes:
    0
  • nootkan
    Okay thanks. So I will assume based on your reply and cpanelAnthony that all is good seeings how that isn't my domain or any domain on my server.
    0
  • quietFinn
    Okay thanks. So I will assume based on your reply and cpanelAnthony that all is good seeings how that isn't my domain or any domain on my server.

    I can't really say if it's good or not, but I've never seen lines like that in our servers.
    0
  • nootkan
    Been trying to find where the setting is for open proxy but can't seem to find anything on google that points me to the proper ssh command. I tried this: sudo nmap -sS -sV -p 8080 --script http-open-proxy.nse x.x.x.x
    but I must not have nmap installed on the server. Tried looking inside httpd file and didn't see anything there either other than a reference to mod_proxy_fastcgi. Also checked the "tweak settings" inside WHM but nothing there that I can find either.
    0
  • cPanelAnthony
    Been trying to find where the setting is for open proxy but can't seem to find anything on google that points me to the proper ssh command. I tried this: sudo nmap -sS -sV -p 8080 --script http-open-proxy.nse x.x.x.x
    but I must not have nmap installed on the server. Tried looking inside httpd file and didn't see anything there either other than a reference to mod_proxy_fastcgi. Also checked the "tweak settings" inside WHM but nothing there that I can find either.

    You should be able to install nmap for free if needed.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post