Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

What are these events (from Proxy access logs)?

Security


Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 09-16-2016
STOIE's Unix or Linux Image
STOIE STOIE is offline
Registered User
 
Join Date: Jun 2009
Last Activity: 16 September 2016, 4:20 AM EDT
Location: Canberra, Australia
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
What are these events (from Proxy access logs)?

Hi all,

I'm trying to identify what this is in my proxy access logs:


Code:
POST http://123.123.123.123/open/1

Followed by thousands of:


Code:
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1001
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1002
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1003

Obviously the actual IP is omitted (pub internet address).

Your help would make my day!

Thanks all
Sponsored Links
    #2  
Old Unix and Linux 1 Week Ago
bashomatic bashomatic is offline
Registered User
 
Join Date: Mar 2017
Last Activity: 15 March 2017, 5:11 AM EDT
Location: Northern Hemiss FEAR
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Correct me if I'm wrong but I'm thinking that those URLs do not contain the IP addresses of hosts accessing your proxy, but rather they are outbound POST requests FROM your 'clients' TO remote destinations.


This portion of the 2nd type URL you provided is typical of a 'folder' with a randomly generated name.

Code:
/IVmYwvJKhJFesFjK/

Folders like that are often used for legit purposes but those URLs also resemble a Slow Lorris attack. In that sort of scenario, the path and resource are arbitrary and likely don't exist. The objective is to flood the server with a bunch of requests that won't time-out, because the very end of the request header is crafted so it is purposely missing the full 0d 0a 0d 0a that the server expects.

Not really enough evidence to determine from your post.

EDIT: My first post on this forum and unfortunately, I NECROed. Sorry all..... Linux

Last edited by bashomatic; 1 Week Ago at 05:14 PM.. Reason: Apologized for thread necro.
Sponsored Links
    #3  
Old Unix and Linux 1 Week Ago
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 23 March 2017, 1:50 PM EDT
Location: Saskatchewan
Posts: 21,996
Thanks: 1,061
Thanked 4,125 Times in 3,817 Posts
This forum closes old threads automatically, that you were able to post in it means it wasn't old enough to be considered a necropost yet.
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Logs access in windows fetching the data from a unix server alvida Shell Programming and Scripting 1 07-16-2009 05:31 AM
Unable to access http site using wget through proxy memonks Shell Programming and Scripting 2 06-21-2009 01:32 AM
view access logs telenet whothought1 UNIX for Dummies Questions & Answers 2 02-02-2005 08:39 PM
proxy logs Jeremy Johnson UNIX for Advanced & Expert Users 1 08-04-2004 05:55 PM



All times are GMT -4. The time now is 02:23 PM.