Pergunta

I have mod_jk connector between Apache and Tomcat (on Ubuntu) and I'm looking at the mod_jk.log. The log mainly looks like this:

[Fri Jan 18 18:37:32 2013]ajp13 <some url from my domain> 0.011095

But occasionally I see these entries:

[Fri Jan 18 21:09:58 2013]ajp13 www.bradesco.com.br 0.030327
[Fri Jan 18 21:09:58 2013]ajp13 www.bb.com.br 0.009310
[Fri Jan 18 21:09:58 2013]ajp13 www.santander.com.br 0.011401
[Fri Jan 18 21:09:58 2013]ajp13 www.banese.com.br 0.010602

Does anybody know what urls are logged in mod_jk.log? Are these "br" entry legitimate?

Thanks.

Foi útil?

Solução

The issue is not specific to mod_jk in any way, it just was initially observed in mod_jk logs.

All Brazilian URLs are coming from Host header property of the GET request. And as suggested in this comment this is a scan for open proxies.

Interesting enough it comes from the same IP address (65.111.177.188) for many months.

To shut this garbage out I added an extra rule to the mod_security conf file on the server:

SecRule &REQUEST_HEADERS:Host "!@pm mydomain" "phase:1,deny"

so that all hosts without mydomain in them are denied right away.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top