1

Essentially I have a webcam set up at home to record movement, and I set up a basic Apache server so that I can externally access said videos stored.

The server is running on my laptop and I have port fowarded the laptops ip to port 80, I then set up dynamic dns so that I can access the same domain name regardless of whether my ip changes.

It had been running a day when I checked the access logs and saw some really suspicious activity: http://pastebin.com/a8xSALaJ sorry for the length, I didn't want to cut out anything subtly important..

My Apache configuration is literally default, with the document root at /var/www/html

I have 3 questions:

1 - Is there anything malicious in the logs/what was the attacker trying to do (there is one very suspicious log at line 152 

access.log:1203:74.217.28.153 - - [19/Feb/2016:05:36:48 +0000] "GET http://pastebin.com/raw.php?i=GNsjKYy5 HTTP/1.1" 404 442 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

2 - How can I prevent this type of attack in the future

3 - How on earth did this person find my ip at all? I certainly didn't publicize it...

As you can tell my networking knowledge is fairly basic but I would really like to learn more, so any information would be greatly appreciated !

UPDATE

Since posting this I noticed something particularly concerning -- not sure if this is related, tried to do an apache2 --version:

apache2 --version
[Sat Feb 20 18:24:19.273672 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Sat Feb 20 18:24:19.273756 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Sat Feb 20 18:24:19.273778 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Sat Feb 20 18:24:19.273796 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Sat Feb 20 18:24:19.273826 2016] [core:warn] [pid 4942] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276425 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276615 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Feb 20 18:24:19.276641 2016] [core:warn] [pid 4942:tid 139799541426048] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}
William Paul
  • 121

1 Answers1

1

The answer to your first question is that it is hard to say what kind of "attack" is occuring or what the attacker is trying to accomplish.

If you look at the entry the log is showing you that something is simply requesting a web page. If you go to that webpage it contains the text string formyproxycheckerandyquezhasabigdick.

If we Google the URL that is being requested by your server we find a number of web sites that report seeing this URL being requested.

It appears this is used to scrape and filter proxies.

http://pastebin.com/Qhb1eWXU http://urlquery.net/report.php?id=1453470052748

I would seek assistance finding and removing any malware on that computer.

Now for your second question it looks like those log entries are related to running Apache directly. When you want to start Apache try using the command below.

sudo service apache2 start

Apache2 config variable is not defined

You asked how someone could have found your equipment. To be honest if you have ports open on your gateway device someone will probably find it. If you have never heard of Shodan, you should Google it so you understand what is happening and how it can effect you.

Never open ports unless you need to, always block port scans, and never leave default passwords on any device you connect to the Internet.

Community
  • 1
user5870571
  • 3,250