topic Re: webserver sending outbound http request in Operating System - HP-UX

webserver sending outbound http request

Manjeet_1 — Wed, 09 Apr 2003 16:17:35 GMT

My apache webserver is running on hpux 11i with c2 security, bastille and is behind a firewall. The firewall administrator noticed that this server is generating some outbound requests from port 80, at times 10-50 requests per second. These requests are, however, blocked and dropped by firewall. Some IPs that it tries to connect to, are not in access.log.

My apache version is 2.0.43.00.05

What can be the cause of this? Badly written cgi/java script? How can I know what content it is trying to access?

thank you

Re: webserver sending outbound http request

Keith Buck — Thu, 10 Apr 2003 18:46:30 GMT

Do you have any more information about the packets?

Seems your firewall administrator might have access to some logs.

Another possibility is to use ipfilter (get it from software.hp.com) to track the packets coming into and going out.

Are you sure it's 'from port 80' and not 'to port 80'? The latter may be explained by running a web browser...getting lots of 'page not found' errors if the requests are blocked.

I don't know what the real problem is, but maybe some more information would give some clues.

-Keith

Re: webserver sending outbound http request

John Bolene — Thu, 10 Apr 2003 19:16:30 GMT

I would imagine that is input to port 80, not output.

I am still seeing a few code red requests come in on my home cable lan after all these months.

If it really is output, then somehting is really wrong somewhere. If it were a MS machine running IIS, I would suspect a virus.

Tell your firewall admin to turn on tracing and see what is in those request packets.

Re: webserver sending outbound http request

Manjeet_1 — Fri, 11 Apr 2003 15:10:13 GMT

Keith,

I asked my firewall admin; all he has is port information, not content-info. :-(. It seems he can't get me any more info.
yes, I am sure its outgoing packets from port 80 (as seen in firewall log). There are 100's of thousand incoming connections (as seen in my access log).

John,

I also see some code-red and nimda (in bound) connections in my access log. I was told that apache is not prone to these attacks but just day before, I came to know that all apache servers prior to version 2.0.45 have some type of vulnerability (its not made public yet - so that folks can first patch their web servers!)

HP has not yet released its patched version. I am hoping newer version will help stop these outgoing requests!

BTW, HP's Apache version doesn't co-relate to versions on apache.org anymore. Maybe its embedded somewhere in their readme file.

Do you know of any tool which would help me find 'what outbound requests are being generated by my webserver' (what's the content its trying to reach). I know of nettl utility on HP but I also know it generates 'huge' output!

Or is it possible to 'turn off' requests being generated from port 80 ? Seems unlikely but no harm in asking!

thank you both!

Re: webserver sending outbound http request

Steven E. Protter — Mon, 14 Apr 2003 12:55:25 GMT

Sounds like its not apache. If its really outbound, it looks like someone is running a browser. Netscape, lynx perhaps.

Perhaps you have content on your apache webserver that links to outside web sites? A link to oracle trying to download the oracle gif? When the page loads, there are errors, but not necessarily in your log. I'ts just bad content.

It surely could be a bad cgi script.

I would get the IP address(es) from the firewall admin and do some nslookup on them. Then scan your web content for the website.

For example if the site is metalink.com/ora.gif

find /$APACHE_HOME -exec grep -l 'metalink.com' {} ;
Find the offending doc, and the author and whip the author 20 times with a wet noodle.

SEP