Question Regarding Apache Access Logs

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
v100.0.5

nootkan

Well-Known Member
Oct 25, 2006
165
11
168
Hello, I am concerned by some logs I have seen lately and need some clarification as to what they mean?

Here is one of them:
Code:
36.5.71.45 - - [23/Dec/2021:15:36:33 -0800] "GET http://www.soso.com/ HTTP/1.1" 200 163 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
There are others with different websites and some with nothing but the ip and 200 ok status. Does this mean that someone is using my server to send others to the domain in questions or something else more malicious?

Is it just a failed attempt that I shouldn't be worried about even though there is a 200 status associated with the get request?

I have config server firewall installed on the server along with csx, osm, modsecurity and imunifyAV.

I did find this post on stack exchange which provides some info but wanted to see if there were any other things I can research or do to mitigate this.
 
Last edited:

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,045
112
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! The HTTP 200 OK success status response code indicates that the request succeeded. This log entry is perfectly normal and simply indicates a web page was visited. We can break it down like this.
  1. 36.5.71.45 is the IP of the visitor
  2. 23/Dec/2021:15:36:33 is when it happened
  3. "GET" request indicates this IP was requesting information (IE: resolving a website page and requesting the information from it)
  4. www.soso.com is the web page that this IP was visiting and made a "GET" request to
Then there's also information about the type of browser/device that was being used. You shouldn't need to worry about these log entries unless you're seeing thousands of connections from the same IP and are suspicious of some type of DDoS or network attack.
 

nootkan

Well-Known Member
Oct 25, 2006
165
11
168
Hello! The HTTP 200 OK success status response code indicates that the request succeeded. This log entry is perfectly normal and simply indicates a web page was visited. We can break it down like this.
  1. 36.5.71.45 is the IP of the visitor
  2. 23/Dec/2021:15:36:33 is when it happened
  3. "GET" request indicates this IP was requesting information (IE: resolving a website page and requesting the information from it)
  4. www.soso.com is the web page that this IP was visiting and made a "GET" request to
Then there's also information about the type of browser/device that was being used. You shouldn't need to worry about these log entries unless you're seeing thousands of connections from the same IP and are suspicious of some type of DDoS or network attack.
Okay, I was concerned because www.soso.com isn't my website and isn't even on the server I manage.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,701
352
438
Finland
cPanel Access Level
Root Administrator
I am seeing those lines in "etc/apache2/logs/access_log"
and
"var/log/apache2/access_log"
Those are the same file.

AFAIK in that log there is not supposed to be access logs for any domain in your server. :rolleyes:
 

nootkan

Well-Known Member
Oct 25, 2006
165
11
168
Okay thanks. So I will assume based on your reply and cpanelAnthony that all is good seeings how that isn't my domain or any domain on my server.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,701
352
438
Finland
cPanel Access Level
Root Administrator
Okay thanks. So I will assume based on your reply and cpanelAnthony that all is good seeings how that isn't my domain or any domain on my server.
I can't really say if it's good or not, but I've never seen lines like that in our servers.
 

nootkan

Well-Known Member
Oct 25, 2006
165
11
168
Been trying to find where the setting is for open proxy but can't seem to find anything on google that points me to the proper ssh command.
I tried this:
Code:
sudo nmap -sS -sV -p 8080 --script http-open-proxy.nse x.x.x.x
but I must not have nmap installed on the server.
Tried looking inside httpd file and didn't see anything there either other than a reference to mod_proxy_fastcgi.
Also checked the "tweak settings" inside WHM but nothing there that I can find either.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,045
112
118
Houston, TX
cPanel Access Level
Root Administrator
Been trying to find where the setting is for open proxy but can't seem to find anything on google that points me to the proper ssh command.
I tried this:
Code:
sudo nmap -sS -sV -p 8080 --script http-open-proxy.nse x.x.x.x
but I must not have nmap installed on the server.
Tried looking inside httpd file and didn't see anything there either other than a reference to mod_proxy_fastcgi.
Also checked the "tweak settings" inside WHM but nothing there that I can find either.
You should be able to install nmap for free if needed.