Failed “attempts against apache-auth" - httpd log suspicious

avayax · September 9, 2019, 5:01pm

Fail2ban blocked a local IP address yesterday, which belongs to an ordinary workstation because of failed “attempts against apache-auth”.

Httpd acces logs show this.
Do those logs show that something is trying to steal my http provisioning credentials and has someone else seen this GET /mnt/mtd/AVAST-HNS-SCAN-PROBE HTTP/1.1 before?

10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:34 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:34 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /etc/passwd HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /language/Swedish${IFS}&&ping$IFS-c1$IFS-s41${IFS}10.1.10.119>/dev/null&&tar${IFS}/string.js HTTP/1.1" 404 384 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /language/Swedish${IFS}&&echo${IFS}AVAST-HNS-SCAN-PROBE>AVAST-HNS-SCAN-PROBE&&tar${IFS}/string.js HTTP/1.1" 404 389 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /mnt/mtd/AVAST-HNS-SCAN-PROBE HTTP/1.1" 404 302 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /etc/passwd HTTP/1.1" 404 284 "-" "-"

Stewart1 · September 9, 2019, 5:18pm

I found
https://forum.avast.com/index.php?topic=221828.0
which is intended behavior in some circumstances by Avast security products. If that’s intentionally running on the workstation, you’ll need to change settings at one end or the other to get them to coexist. If not, scan the workstation for malware.

cynjut · September 9, 2019, 5:24pm

Are you or any of the people on the LAN using Avast? Are they using the NHS module?

It could be a zombie on the network, or it could be someone trying to “help” by running the Network Scanner modules in Avast.

The excerpt does look suspicious.

Stewart1 · September 9, 2019, 5:26pm

AFAIK Avast doesn’t spoof the source IP address, so (if it’s nothing malicious), it would have to be running on the 10.1.10.119 machine.

system · September 16, 2019, 5:26pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.