Running apache on a debian server, I have been starting to monitor logs, and have found some odd occurrences. Does anyone know what this any-request-allowed.com site is trying to do... and how can I block this potentially malicious traffic?
Sanitized logs:
[46.161.11.245] - [13/Apr/2011:13:02:09 -0700] | api.goolertech.com "POST http://myinfo.any-request-allowed.com/?strGet=get2566 HTTP/1.1" 404 294 | -
[46.161.11.245] - [15/Apr/2011:13:02:53 -0700] | api.goolertech.com "POST http://myinfo.any-request-allowed.com/?strGet=get8888 HTTP/1.1" 404 294 | -
[46.161.11.245] - [17/Apr/2011:13:05:04 -0700] | api.goolertech.com "POST http://myinfo.any-request-allowed.com/?strGet=get9659 HTTP/1.1" 404 294 | -
Where 404 is the error code and 294 is the size of the response.
EDIT:
Did a packet capture, and this was the request I got:
POST http://myinfo.any-request-allowed.com/?strGet=get2566 HTTP/1.1
Host: myinfo.any-request-allowed.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
Cookie: strCookie=cookie2566
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
strPost=post2566
This looks like internet background noise. A dodgy or compromised host is probably port scanning for open web servers and then testing them out to see if they'll relay a
POSTto a 3rd party site. Your server is naturally 404ing the request. It's likely not targeted at you and the chances are it will stop, pretty soon.That said, the timing is unusually regular for this sort of traffic, so if it doesn't stop, the source of the request is
46.161.11.245. If you block anything, then block that host at the firewall. (via iptables)You can use iptables to block this request. That is a post request so not sure what data is being sent with it. Can try running tcpdump to get that info.