0

Viewing my access logs for the last few days, I have seen high-speed bursts of access attempts on one web resource per day. For example, yesterday was an image, today is a PHP document.

Today's burst lasted about twenty seconds totaling 106 requests. Nearly all accesses show the same transfer size (because it's the exact same resource they're hitting) but what worries me is toward the end of the access burst, the transfer size is slightly higher for one access, then the next is nearly twice the transfer size, then goes back to normal.

Log excerpt:

175.xx.xx.x - - [15/Oct/2024:17:05:33 -0700] "GET /business/contact.php HTTP/1.1" 200 5291 175.xx.xx.x - - [15/Oct/2024:17:05:33 -0700] "GET /business/contact.php HTTP/1.1" 200 5291 175.xx.xx.x - - [15/Oct/2024:17:05:33 -0700] "GET /business/contact.php HTTP/1.1" 200 5291 175.xx.xx.x - - [15/Oct/2024:17:05:33 -0700] "GET /business/contact.php HTTP/1.1" 200 5310 <<< larger than normal 175.xx.xx.x - - [15/Oct/2024:17:05:34 -0700] "GET /business/contact.php HTTP/1.1" 200 10481 <<< very large 175.xx.xx.x - - [15/Oct/2024:17:05:34 -0700] "GET /business/contact.php HTTP/1.1" 200 5291 <<< back to normal 175.xx.xx.x - - [15/Oct/2024:17:05:34 -0700] "GET /business/contact.php HTTP/1.1" 200 5291 175.xx.xx.x - - [15/Oct/2024:17:05:35 -0700] "GET /business/contact.php HTTP/1.1" 200 5291

Because apache is showing different sizes toward the end of these access bursts, does this mean a bug or vulnerability is being exploited?

Improve this question
4
  • This can be dangerous, this can be not, but anyway, it's very unlikely it's an exploit specifically for Apache. Much more likely if it's something nasty, it's directed against PHP application itself, as this field proved itself very vulnerable to all kinds of injections and other attacks. Try to capture these responses to see what's different from "normal" one (for example, you can add a "hook" into the PHP file that would save the output into some file if it differs in size from "normal"). Also, there was no point hiding IPs. Its yours? Publication can do any harm to you? No? Don't alter. Commented Oct 16, 2024 at 5:04
  • @NikitaKipriyanov Thanks for your advice. While 'hooking' the PHP files would be interesting, this is also happening with images, text files, etc. No, the IP address is not mine, but I didn't want to be scolded by users for showing someone else's IP address. Thanks again! Commented Oct 16, 2024 at 15:29
  • 1
    Well, maybe, when you get some idea on to what happens to PHP output, you might have the further idea of how to find out what could happen when it serves images. FYI, 20 years ago there was a quite popular attack vector on mod_php-enabled Apache servers, PHP itself was called via SetHandler and the the decision to call it was performed based on MIME type of the requested resource, which in turn was influenced not only by the last "extension" but by any, so a file image.php.jpg could contain a PHP script (in a JPEG comment, or not be an image at all) which was interpreted. Commented Oct 17, 2024 at 4:58
  • You could also use SELinux, it's another wall of defense. SELinux worls best on RPM based Linux, like from SUSE and RedHat. Commented Oct 20, 2024 at 1:19

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.