Incoming from China :((

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi:

    Enviro:  I run Apache 2.10 on an older Dell Win XP3 machine. (and I run
three very low traffic websites on this Dell machine)
                My CGI app (I guess you could call it a script) in all three
of my sites is a C-based executable.

    Problem:

    Lately I've been getting a whole series of entries in my Apache
Access.log file that are like the following:

    1.202.218.8 - - [19/Feb/2012:04:27:17 -0700] "GET / HTTP/1.0" 200 963057
"-" "\"Mozilla/5.0"

    These come flying in one after the other separated by a second or so.

    I can't track down *what* these are, and I don't understand what is
being asked for by this entry, and further what would be the point.

    btw, this morning I entered :  Deny From 1.202.  in my httpd.conf file ,
and since then my Apache server has been '403'ing these requests.

    But, would somebody help me understand what these http requests are all
about, and what does it gain for the hidden client please ?

    Also, there is a size  963057 bytes that is apparently associated with
'some' file somewhere in my system  ???

Thank you !

--
Mel Smith




Re: Incoming from China :((


Quoted text here. Click to load it

First, these are just GET requests like any other.  Unless I've missed
something obvious, there's nothing odd about them.  The browser "ident"
string is peculiar (because it contains a quote mark), but since it's
arbitrary and often user-generated, I am never surprised by what I find
there.

Second, I'd give up on asking what the point is.  Sometimes it's
obvious, but there's a lot of odd software out that GETting URLs at
random, and even more odd people doing the same.  If you are lucky,
someone might recognise some trait as being the "so and so bot" but the
chances are you'll never know.

Quoted text here. Click to load it

Yes.  Your server is replying "success" (that's the 200 in case you don't
know) and sending 963057 bytes.  What does your browser send?  The URL
is http://your.servers.name /

Depending on how your server is configured, the 963057 bytes could be
anything from a genuine resource (like a real HTML page) to something
generated by Apache itself (like a directory listing).

--
Ben.

Re: Incoming from China :((

Ben said:

Quoted text here. Click to load it

    Yes, I have three active websites. They all look for one of the web site
names e.g., ww2.xxxxxxxx.com:nnnn  but this request askd for 'nothing', so
somehow my my Apache server answers the request with 963,057 bytes.  I guess
I'll have to look and see what is that exact length :))


Quoted text here. Click to load it


Thank you Ben for the explanation !

-Mel



Re: Incoming from China :((


Quoted text here. Click to load it
<snip>
Quoted text here. Click to load it

Am I missing something?  The request is for "/" not "nothing".  Why don't
you just issue the request yourself as see what you get?

Quoted text here. Click to load it

I think you missed a key part!  Rather than hoping to find a document
with that size, just make the request you are seeing (I gave you the
pattern to use for the URL -- I don't obviously know the actual URL) and
you'll get whatever your mystery visitors are getting.

--
Ben.

Re: Incoming from China :((

Quoted text here. Click to load it


Ben:

    O.K., I'll give it a try today !

Thanks,

-Mel



Re: Incoming from China :((

Quoted text here. Click to load it

To which the server will respond with the default document - index.htm.
index.html, default.htm, default.html etc depending on how Apache has been
set-up. If its badly set up then it might even return a directory listing.

BTW, incase my comment implies otherwise, the advice "issue the request
yourself and see what you get" is good.
--
 Brian Cryer
 http://www.cryer.co.uk/brian


Re: Incoming from China :((


Quoted text here. Click to load it

I said something similar myself (now snipped) but I was deliberately
more vague since pretty much anything could, at least in theory, be
happening.  I suppose it's unlikely, but I did not want to limit the
OP's consideration to just default documents and directory listings.

<snip>
--
Ben.

Re: Incoming from China :((

Hi Brian & Ben:

    I've tried a couple of variations of issuing the Get Request myself, but
can't seem to get anything to work.

    I'm capable of reading the response by Apache, but don't know how to
issue the request :((


    Could one of you re-construct the actual GET request from the following
based on my router address being nn.n.nn.nnn

    1.202.218.8 - - [19/Feb/2012:04:27:17 -0700] "GET / HTTP/1.0" 200 963057
"-" "\"Mozilla/5.0"


Thank you

-Mel



Re: Incoming from China :((


Quoted text here. Click to load it

I was going to say that it's not possible, because all requests for all
virtual hosts end up logged in the same file.  Then I noticed that the
protocol is version 1.0.  HTTP 1.0 does not support virtual hosts.  This
may well be why you are not seeing what the mystery visitor is seeing.
I think the best bet is to use the IP address of the server so that the
virtual host mechanism is less likely yo get in the way.  I.e. if the
server is 1.2.3.4 ask for http://1.2.3.4/ (note trailing slash).

You can't tell from the log file what port or ports the server is
listing on, so you may have to try http://1.2.3.4:xxx/ for one or more
xxx (only you know the port numbers).

One reliable way to generate HTTP 1.0 requests is simply to type them at
your server.  For example:

$ telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET / HTTP/1.0
User-Agent: "Mozilla/5.0

HTTP/1.1 200 OK
Date: Mon, 20 Feb 2012 19:53:13 GMT
Server: Apache/2.2.20 (Ubuntu)
Last-Modified: Sun, 11 Apr 2010 16:11:17 GMT
ETag: "71cb6-b1-483f8473ab340"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
...

and so on.  I typed the two lines:

GET / HTTP/1.0
User-Agent: "Mozilla/5.0

and a blank line.  I've included the User-Agent string because it's
possible to configure websites to behave differently depending on this
string.  Maybe you did not set up the server, so I'm covering lots of
bases.

Alternatively, give me the addresses, domain names, and ports of all the
servers and I'll see if I can get the document.  You can mail me if you
don't want to publish the addresses and ports.

--
Ben.

Re: Incoming from China :((

Ben said:

Quoted text here. Click to load it

Ben:

    Thanks. I'll test later on today, and let you know the results (wife
wants to drage me away from my machine for awhile ...)

-Mel



Re: Incoming from China :((

Hi Ben:

    I'll send you my personal router IP Address and Port Number in a few
minutes.

    I tried the telnet commandfrom the Windows Command Prompt on my server
(sitting besdide me -- an older Dell Win XP machine).  Telnel errored on No
Port 23

    Anyway, I tried from my developemet machine on my IE7 browdser address
bar the command:

            http://nn.n.nn.nnn:nnnn and was rewarded with the 1st page of
my main active site   (although I have three sites -- not so active). My log
shows pics, etc that were also sent in the response.

Anyway, I'll send you personal stuff in a few minutes

Thanks,

-Mel





Re: Incoming from China :((

On 2/20/2012 7:14 PM, Mel Smith wrote:
Quoted text here. Click to load it

As Ben said, you must give it a port number also (probably 80).  23 is
the default telnet port, and there isn't a telnet daemon running on your
server.

If the client doesn't supply a host name, Apache responds with the first
virtual host in its http.conf file.

P.S. When replying, please quote the appropriate comments you are
replying to.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Incoming from China :((


Quoted text here. Click to load it

Got it, thanks.  Nothing interesting though.  I just get what looks like
your "main page".

Quoted text here. Click to load it

You need to set the port number to connect to.  23 is the default telnet
port.

Quoted text here. Click to load it

I am sure that's what I'm seeing.  It was worth a try, but I can't
explain the size of the resource been returned that shows up in your
logs.  Is there anything odd about the configuration of your server?

You mention "main site" and "other sites".  Are they all served from the
same machine?  Do the logs for all of them end up in the same log file?

--
Ben.

Re: Incoming from China :((

Quoted text here. Click to load it

    Yes, very simplistic:   One Apache Server residing on an older Dell Win
XP (sp3) machine, one router to it with a specified IP and a specified
obscure port,  and four 'Server Alias' sites defined in the httpd.conf with
the last line of each of them like:

                Directory Index xxxinit.exe index.html   (each of the Server
Alias sections has this

Ben noted last nite that he had traced the file delivered down to one of the
sites.

    What I don't understand is why I should deliver *anything* to this
client and why it has to be this nearly 1 meg file besides ?!

    Also, how does this client in Beijing, China visit my site with no site
name, no port number, and yet force me to serve a big file to him/her ?

    What can I do to give him *nothing* ?

Thanks all !


-Mel Smith
(and now to prepare to watch the four Republican Presidential Candidate
'clowns' come to my city in Arizona (Mesa) and embarass us all with their
far-right rants). I will be driving by the debate venue on my way to golf
tomorrow).



Re: Incoming from China :((

On 2/21/2012 11:07 AM, Mel Smith wrote:
Quoted text here. Click to load it

Please see my previous post.  If the client does not supply a host name,
Apache defaults to the first virtual host in your httpd.conf file.  It
is serving the default page from that host.

If you don't want that, just supply a new virtual host (as the first one
in your httpd.conf file) and deny all access.

But really - are you THAT concerned about serving up one page?

And BTW - why would you have an almost 1M page as your landing page, anyway?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Incoming from China :((

Jerry said:

Quoted text here. Click to load it

    Good point !
Quoted text here. Click to load it
    I'm just pissed off that I use my upload time always sending nearly one
meg to those guy(s) in Beijing !

Quoted text here. Click to load it

    I don't carry 'pages' in my Apache cgi-bin sub-dir.   I hold very big
C-based executables, all at approx 1.1 megabytes. It is these .exe's that
access, and send pages to clients. And the actual template/pages, are far
removed from the cgi-bin sub-dirs

    *Except*, in an obscure sub-dir (... cgi-bin\xbscript\ ) I have an old
unused file called xbscript.cab which has 'about' the same size --- approx
953K). Its been there for approx four years and never used.  (It was
*supposed to be* a replacement for JScript/ECMAscript, etc, but, of course,
never got anywhere)

    I just deleted it, and we'll see what happens.


Thanks,

-Mel



Re: Incoming from China :((

On Tue, 21 Feb 2012 11:13:33 -0700, Mel Smith wrote in
alt.www.webmaster:

Quoted text here. Click to load it

Block the whole country in your firewall ;)
You get much business from there anyway?

--
idle
I refuse to let common sense cloud my judgment.

Re: Incoming from China :((

On 2/21/2012 1:13 PM, Mel Smith wrote:
Quoted text here. Click to load it

You have pages on your site.  Whether they are static or created
dynamically is immaterial to the client.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Incoming from China :((


Quoted text here. Click to load it

I don't follow.  The page that's being served is a proper page.
Presumably it's there because you want at least some people to see it!

Quoted text here. Click to load it

Your best bet is to block IP addresses or ranges.

<snip>
--
Ben.

Re: Incoming from China :((

Ben:

    I've blocked that particular address a couple of days ago -- as I
mentioned in a previous post.

    I just didn't like doing it without knowing what was going on.

    btw, I certainly *do* have pages/template/forms on my server. *But* they
do not reside in the Apache tree sub-dir.  The executables pick them up from
far different directories, fix/edit/build them, and then pass them to Apache
for delivery to the client.

Anyway, thanks to y'all for your suggestions, and for you Ben for working
late at it !

So, Let's leave it simmer for awhile, and thanks again !

-Mel



Site Timeline