Apache access log, strange post requests

Question

Getting lot strange requests in my access log:

ip login:"-" - - [24/May/2017:01:26:30 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/D89B1EDB-4CED-D145-9246-16243451D23D/from HTTP/1.0" 404 1346 Time:"2s" pid:23050 Mem:"2097152
ip login:"-" - - [24/May/2017:00:48:35 +0700] "POST /3A348409-DD98-D443-96A4-D712F51D8B11/E970DBFE-0DB1-A749-9392-CF1704CC81FD/from HTTP/1.0" 404 1348 Time:"0s" pid:22893 Mem:"4194304"
ip login:"-" - - [23/May/2017:00:33:08 +0700] "POST /CE92AFB2-2FDE-8742-B5ED-0629F2B9B622/2D682DC1-D8C5-574F-8A0E-AC62EB96CBD8/from HTTP/1.0" 404 1348 Time:"0s" pid:6695 Mem:"4194304"
...

Also, sometimes (not so frequently), getting another type of logs records containing parts of my HTML pages:

ip login:"-" - - [23/May/2017:14:00:49 +0700] "GET /static/legacy/js/ion%20value=201602>%D4%E5%E2%F0%E0%EB%FC%202016</option><option%20value=201601>%DF%ED%E2%E0%F0%FC%202016</option><option%20value=201512>%C4%E5%EA%E0%E1%F0%FC%202015</option><option%20value=201511>%CD%EE%FF%E1%F0%FC%202015</option><option%20value=201510>%CE%EA%F2%FF%E1%F0%FC%202015</option><option%20value=201509>%D1%E5%ED%F2%FF%E1%F0%FC%202015</option><option%20value=201508>%C0%E2%E3%F3%F1%F2%202015</option><option%20value=201507>%C8%FE%EB%FC%202015</option><option%20value=201506>%C8%FE%ED%FC%202015</option><option%20value=201505>%CC%E0%E9%202015</option><option%20value=201504>%C0%EF%F0%E5%EB%FC%202015</option><option%20value=201503>%CC%E0%F0%F2%202015</option><option%20value=201502>%D4%E5%E2%F0%E0%EB%FC%202015</option><option%20value=201501>%DF%ED%E2%E0%F0%FC%202015</option><option%20value=201412>%C4%E5%EA%E0%E1%F0%FC%202014</option><option%20value=201411>%CD%EE%FF%E1%F0%FC%202014</option><option%20value=201410>%CE%EA%F2%FF%E1%F0%FC%202014</option><option%20value=201409>%D1%E5%ED%F2%FF%E1%F0%FC%202014</option><option%20value=201408>%C0%E2%E3%F3%F1%F2%202014</option><option%20value=201407>%C8%FE%EB%FC%202014</option><option%20value=201406>%C8%FE%ED%FC%202014</option><option%20value=201405>%CC%E0%E9%202014</option><option%20value=201404>%C0%EF%F0%E5%EB%FC%202014</option><option%20value=201403>%CC%E0%F0%F2%202014</option><option%20value=201402>%D4%E5%E2%F0%E0%EB%FC%202014</option><option%20value=201401>%DF%ED%E2%E0%F0%FC%202014</option><option%20value=201312>%C4%E5%EA%E0%E1%F0%FC%202013</option><option%20value=201311>%CD%EE%FF%E1%F0%FC%202013</option></select></td></tr><script%20type= HTTP/1.0" 404 1347 Time:"0s" pid:15377 Mem:"4194304"

Anyone know something about it?

OS: ubuntu 15.10 x64

Apache: v 2.4.24

score 0 · Answer 1 · answered May 24 '17 at 05:45

Looks to me like someone found a cross-site scripting (XSS) vulnerability somewhere in your code.

Without seeing the code found in the file found (presumably) at /static/legacy/js/ion, it's almost impossible to offer any advice or answers as to what needs to be done.

Generally speaking though, somewhere along the line there's code that exists which is producing output without first being sanitized. It could be inside that file, or maybe even inside the file that produces the output that writes that line.

Either way, it would probably be best to search for things like $_POST, $_GET, $_REQUEST, etc., that are producing output provided by the user without first being sanitized.

Hi. thanks for your answer. I found one of such clients and he didn't do something unusual intentionally. But maybe his os or browser infected... dunno what to think — SLY, May 24 '17 at 06:45

Apache access log, strange post requests

1 Answers1