: Find domain on access_logs in Apache I am in charge of a server that is receiving strange requests for a file that doesn't exist and it never existed and I am trying to find which account
I am in charge of a server that is receiving strange requests for a file that doesn't exist and it never existed and I am trying to find which account they are coming from (CentOS + Plesk)
The logs look like this:
65.52.129.119 - [09/Jul/2015:16:30:35 +0100] "GET /FPURL.xml HTTP/1.1" 262ms 404 272 "-" "-"
65.52.129.119 - [09/Jul/2015:16:30:35 +0100] "GET /FPURL.xml HTTP/1.1" 263ms 404 275 "-" "-"
As you can see someone tries to access the file FPURL.xml but it doesn't say the domain or account.
Is there a way to find where it is coming from?
I have already checked the apache documentation but the only one I have seen is %h which is not recommended and %U which gives me /FPURL.xml.
More posts by @Smith883
2 Comments
Sorted by latest first Latest Oldest Best
You want to configure Apache to log the "canonical ServerName of the server serving the request" using the %v log directive. I configure my Apache log format as:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %v" combinedserver
CustomLog /var/log/apache/access_log_virtual_hosts combinedserver
Reference: httpd.apache.org/docs/2.2/mod/mod_log_config.html
This, at first blush, it looks like a Microsoft Hosting customer is trying to access a SharePoint file. It can be a simple on-line data collection effort or possibly a malware compromised computer seeking for vulnerabilities. It can go either way. There is very little information on this pattern yet to tell. I appears there may be malware that searches for this file, however, I could not find anything solid quickly. It appears to also be a common file for SharePoint and a request of this type may not be uncommon. I do not know SharePoint enough to comment nor am I aware of a particular vulnerability. The NVD database does not reference anything. It could be very new or nothing at all.
It is not anything I would worry too much about.
If you have SharePoint, then make sure it is up to date and secure. If not, do not worry about it- let it 404. If it is a pain, then you can block it.
Assuming Apache:
RewriteRule ^/?FPURL.xml$ - [F,L]
This likely was addressed to the server using an IP address or a domain name not defined within the server configuration files. Some Apache installs have a catch-all site enabled immediately upon install. When the request does not match a defined domain name, the catch-all site handles the request. The catch-all site uses the default log file usually found in something like /var/log/apache2/access_log though it does not have to match this exactly- it all depends on the install package. This is likely what is happening. Still, nothing to worry about.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.