Skip to main content

Advertisements in the apache logs

durangod

I am assuming this is some kind of http generated advertisement in the apache log

205.210.31.231 - - [22/May/2025:09:05:24 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 200 7493 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"

 

I dont know how they do this but i want to block this kind of thing. 

Questions:

1. i guess i just block this ip in csf?

2. going forward how do i prevent this kind of apache log entry?

Thanks :)

 

Comments

4 comments

Date Votes
  • quietFinn

    Why don't you just do as they say "send IP addresses/domains to: scaninfo@paloaltonetworks.com"

     

    0
  • cPRex Jurassic Moderator

    I also think contacting them is the best plan.  For future log entries, you can't control the text that comes into the server from the original request, although I'm sure there would be some advanced way to block it if you really wanted to.

    I'd just block the IP and move on.

    0
  • durangod

    quietFinn

    I understand your view, but if someone knocked on your door at home and said

    "hi we are just making sure someone lives here, if you dont want to be bothered send your proof of address" 

    would you do that?  Not me.  I would tell them they are tresspassing and to get the heck off my property.   I guess we just have two different views, and that is ok, thats what makes the world go around :)   I understand that server IPs are public information but when someone asked for it in this way, it makes me think:

    Why would they notify me in such away, im sure lots of companies check domains and servers and they say nothing, so why is this company wanting me to send them information, its very suspicious.  Then what are they doing with this list of theirs, the fact that i send them the information must be some kind of legal loophole that me sending it to them qualifies as some kind of subscription some how.   

    Its just very odd.   I will take the advice given, block the IP and move on.  :)    Its more than likely harmless but one never knows.  :)  

    Thank you both, much appreciated.  

    0
  • durangod

    Just to share here is what AI says about blocking CGI scans

    To prevent your cPanel server from being flagged by CGI scans during a PCI scan, you can disable the /scgi-bin directory or disable the "CGI Center" scripts in WHMAlternatively, you can configure your server to return 404 Not Found errors for invalid CGI requests instead of 200 OK with a page indicating the script wasn't found. 
     
    Here's a more detailed breakdown:
     
    1. Disabling the /scgi-bin Directory:
    • PCI Scan Issues:
      PCI scanning vendors often attempt to access a wide range of known problematic CGI scripts. When a script is requested and doesn't exist, the cPanel server might respond with a 200 OK status and a page indicating the script wasn't found, instead of a 404 Not Found. This can lead to the PCI scan flagging the server as having the script present. 
       
    • Steps to Disable:
      1. Log in to your server via SSH as the root user. 
         
      2. Edit your Apache configuration file (e.g., /var/cpanel/conf/apache/main.conf). 
         
      3. Add or modify the following line within the Apache configuration: 
         
    Code
     
            <Directory /usr/local/cpanel/cgi-bin/>            Options FollowSymLinks            Require all granted        </Directory>
    1. Change Require all granted to Require all denied. 
       
    2. Save the file and restart Apache. 
       
    2. Disabling CGI Center Scripts in WHM:
    • Feature Manager:
      You can disable specific CGI scripts or the entire "CGI Center" functionality through WHM's Feature Manager.
    • Steps:
      1. Log in to WHM.
      2. Navigate to Packages > Feature Manager.
      3. Select the feature list used by your plans (or edit a specific plan).
      4. Uncheck "CGI Center" or disable the specific scripts you want to remove.
      5. Click Save. 
         
    3. Return 404 Not Found Errors for Invalid Requests:
    • Alternative Approach:
      Instead of disabling the /scgi-bin directory, you can configure Apache to return a 404 Not Found error when a user attempts to access a non-existent CGI script. 
       
    • Steps (example using a virtual host):
      1. Log in to your server via SSH as the root user. 
         
      2. Edit the virtual host configuration file for your website (e.g., /etc/httpd/conf.d/yourdomain.conf). 
         
      3. Add or modify the following lines within the virtual host configuration: 
         
    Code
     
            <LocationMatch "^/cgi-bin/.*$">            Require all denied        </LocationMatch>
    1. Save the file and restart Apache. 
       
    Important Considerations:
    • Backup: Before making any changes to your Apache configuration, create a backup of the file.
    • Restart Apache: After making changes, remember to restart the Apache web server.
    • Impact: Disabling the /scgi-bin directory or CGI scripts will prevent users from accessing those scripts. Be sure you understand the implications of disabling these scripts before making any changes. 

     

    Im sure cpanel has docs on this just have not found them yet, of course cPanel docs take precedence. 

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post