More information about the Underscore mailing list

[_] Apache as a gateway?

Craig Francis craig at craigfrancis.co.uk
Mon May 20 10:34:29 BST 2013

Good morning... just wondering if anyone can shed some light onto a little Apache mystery (probably nothing, but could be interesting from an education point of view).

I've recently been getting lots (262 so far today) of error messages such as:

> [Mon May 20 09:27:52 2013] [error] [client 42.62.37.64] script '/www/live/craig.francis/public/forum.php' not found or unable to stat, referer: http://bbs.langisle.com/forum.php?mod=viewthread&tid=259&extra=page%3D2
> [Mon May 20 09:33:29 2013] [error] [client 42.62.37.64] script '/www/live/craig.francis/public/forum.php' not found or unable to stat, referer: http://bbs.langisle.com/forum.php?mod=forumdisplay&fid=48
> [Mon May 20 09:38:47 2013] [error] [client 42.62.37.64] script '/www/live/craig.francis/public/forum.php' not found or unable to stat, referer: http://bbs.langisle.com/forum.php?mod=forumdisplay&fid=48
> [Mon May 20 09:48:58 2013] [error] [client 42.62.37.64] script '/www/live/craig.francis/public/forum.php' not found or unable to stat, referer: http://bbs.langisle.com/forum.php?mod=forumdisplay&fid=48

The end of week counts being:

> 2013-04-28 = 0
> 2013-05-05 = 4,372
> 2013-05-12 = 4,847
> 2013-05-19 = 2,148


Annoyingly this is appearing in the access logs for the main VirtualHost, so it could be using one of the servers IP addresses.

Having a look at the bbs.langisle.com website (which has just stopped responding to requests), there does not appear to be any references to domains on my server (but there are links with href="forum.php")... and when I visit any of these pages, nothing appears in the access/error logs.

I have noticed that nearly all of the requests come from the same IP address... with one exception once or twice a day from 223.203.200.240, that has exactly the same UA string, and seems to make exactly the same request each time:

> [2013-05-19 15:45:25] "GET /forum.php HTTP/1.0" 404 1916 "http://bbs.langisle.com/forum.php?gid=43" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.2) Firefox/3.5.2"
> [2013-05-20 04:45:45] "GET /forum.php HTTP/1.0" 404 1916 "http://bbs.langisle.com/forum.php?gid=43" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.2) Firefox/3.5.2"


So my suspicion is that perhaps my server is being used as some kind of gateway, although I think the most advanced Apache config is some ReWrite rules on the main VirtualHost (won't list them all here):

> RewriteRule ^/mp3 / [R=301,L]


There is something Oliver mentioned last year, which I don't think is the case (no [P] flag), but should I should mention/check anyway...

http://www.under-score.org.uk/pipermail/underscore/2012-May/108431.html

> <VirtualHost *:80>
> 
> 	ServerName craigfrancis.co.uk
> 	ServerAlias *.craigfrancis.co.uk
> 
> 	RewriteEngine on
> 	RewriteRule   ^(.*)  http://www.craigfrancis.co.uk$1  [R=301,L]
> 
> </VirtualHost>


And probably also unrelated (usually these appear just "to wake up processes that are listening for new connections"), but looking at the access logs there have been an increasing number of:

> ::1 - - [2013-05-20 09:48:53] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
> ::1 - - [2013-05-20 09:48:54] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
> ::1 - - [2013-05-20 09:48:55] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
> ::1 - - [2013-05-20 09:48:56] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"

The end of week counts being:

> 2013-02-17 =    673
> 2013-02-24 =    604
> 2013-03-03 =  1,075
> 2013-03-10 =    649
> 2013-03-17 =  1,528
> 2013-03-24 =  1,321
> 2013-03-31 = 18,601
> 2013-04-07 = 16,928
> 2013-04-14 = 15,712
> 2013-04-21 = 19,964
> 2013-04-28 = 20,926
> 2013-05-05 = 20,407
> 2013-05-12 = 19,710
> 2013-05-19 = 23,295


My main suspicion has been a little feature I put on my old/ugly website years ago:

http://www.craigfrancis.co.uk/features/tools/getFile/

But that just prints out the full request (headers/body in html encoded text), and has only been used by a few people in the last few months (probably just me actually, no mention of those two IP's).

So any thoughts?

Craig