robot hammering apache2

My apache2 log is bombarded with lines like:

108.5.114.118 - - [03/Aug/2012:15:23:28 +0200] "GET http://xchecker.net/tmp_proxy2012/http/engine.php HTTP/1.0" 404 1690 "http://xchecker.net/tmp_proxy2012/http/engine.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"

I am puzzled by this -- why is a request for some weird xchecker.net domain ending up on my server in the first place?!

The request comes every few dozens of seconds, must be a robot. Any ideas what it is?

Btw that URL is valid -- apparently it contains some test page...


Solution 1:

Somebody is checking if your server is a open proxy by requesting:
GET http://xchecker.net/tmp_proxy2012/http/engine.php HTTP/1.0

It doesn't look like you are running an open proxy since it responded with a 404.
For more information on this see: http://wiki.apache.org/httpd/ProxyAbuse
Especially the "But how can I be really sure that I am not allowing the abuse of other sites" part.

We can't tell why it continues to try it even after it should be clear that you don't run a proxy.
Maybe that guys script is broken.

Solution 2:

i too keep getting hit from this bot

i've just added this in my .htaccess

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} xchecker\.net [NC]
RewriteRule .* - [F]

then in my error logs

[error] [client 91.237.249.35] client denied by server configuration: /var/www/html/proxy2012/http/engine7.php, referer: http://xchecker.net/proxy2012/http/engine7.php

so far so good.

Plus if the attacks are coming in super fast, you might want to think of using mod_evasive

I've sent a email to the unlinked.t-n-media.de but they have not responded.

Solution 3:

xchecker.net has the same IP as unlinked.t-n-media.de. So, both of them are pointing to the same server. Do you know you are running a proxy?

If not, I would suggest you shut it down, and rebuild your server.

Check the source, for the request above, it was 108.5.114.118. If they keep bugging you, block them with iptables. If there are a lot of different IP's, you are being hit from a bonnet. Not much you can do but take the pages offline.

The page exists for me:

enter image description here

The reverse DNS also doesn't add up:

[bart@dev ~]$ dig xchecker.net

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> xchecker.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15494
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xchecker.net.          IN  A

;; ANSWER SECTION:
xchecker.net.       108 IN  A   193.28.228.90

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug  3 18:14:36 2012
;; MSG SIZE  rcvd: 46

[bart@dev ~]$ dig -x 193.28.228.90

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> -x 193.28.228.90
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 515
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;90.228.28.193.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
90.228.28.193.in-addr.arpa. 2553 IN PTR unlinked.t-n-media.de.

;; Query time: 59 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug  3 18:14:44 2012
;; MSG SIZE  rcvd: 79

If your server is not 193.28.228.90, then someone has your domainname & '193.28.228.90' in their hostfile so it would resolve to you. If you see a lot of different IP's it's probably a change that was pushed to a lot of infected computers.

My guess would be that the IP of your server was used for some bad purposes in the past.

If you wan't to stop the 404's, you can put this on top of your vhost configuration:

<VirtualHost _default_:*>
  RedirectMatch permanent ^/?(.*) http://myrealwebsite.com/
</VirtualHost>

This will redirect every unknown vhost to your main site.