[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache suddenly downloads PHP instead of executing it ... but only on one virtual site?

W dniu wto, 29.10.2019 o godzinie 11∶27 -0400, użytkownik Carl Fink
napisał:
> On 10/29/19 2:19 AM, Xavier wrote:
> > did you take a look at your logs (apache2 logs and php logs) ?
> > Could you
> > share them with us ?
> > 
> Good point. I plead "I was really tired when I posted."
> 
> Of course, I don't know what to look for. I just tried to view the 
> tt-rss page and only the access.log file updated, so here are the
> last 
> 20 lines of that:
> 
> 50.63.185.234 - - [29/Oct/2019:08:37:13 +0000] "GET //print.cgi 
> HTTP/1.1" 404 367 "-" "() { :;};echo; /bin/bash -c \" echo 2014 |
> md5sum\""
> 66.249.65.213 - - [29/Oct/2019:08:51:39 +0000] "GET /robots.txt 
> HTTP/1.1" 404 404 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
> +http://www.google.com/bot.html)"
> 66.249.65.211 - - [29/Oct/2019:08:51:39 +0000] "GET 
> /manual/ko/mod/mod_socache_shmcb.html HTTP/1.1" 200 2631 "-" 
> "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
> Safari/537.36 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)"
> 109.104.240.33 - - [29/Oct/2019:09:14:37 +0000] "GET / HTTP/1.1" 200 
> 10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
> 178.93.26.5 - - [29/Oct/2019:09:33:09 +0000] "GET / HTTP/1.1" 200
> 10947 
> "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
> like 
> Gecko) Chrome/51.0.2704.103 Safari/537.36"
> 176.214.60.106 - - [29/Oct/2019:10:04:58 +0000] "GET / HTTP/1.0" 200 
> 10966 "-" "-"
> 66.249.65.211 - - [29/Oct/2019:10:05:31 +0000] "GET 
> /manual/en/mod/mod_filter.html HTTP/1.1" 200 8336 "-" "Mozilla/5.0 
> (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36
> (KHTML, 
> like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
> Googlebot/2.1; +http://www.google.com/bot.html)"
> 77.120.54.54 - - [29/Oct/2019:10:09:26 +0000] "GET / HTTP/1.1" 200
> 3315 
> "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101
> Firefox/9.0.1"
> 77.120.54.54 - - [29/Oct/2019:10:09:27 +0000] "GET /HNAP1/ HTTP/1.1"
> 404 
> 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 
> Firefox/9.0.1"
> 46.188.46.142 - - [29/Oct/2019:10:35:12 +0000] "GET / HTTP/1.1" 200 
> 10947 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
> 151.80.36.188 - - [29/Oct/2019:11:07:20 +0000] "GET / HTTP/1.0" 200 
> 10966 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)
> "
> 66.249.65.213 - - [29/Oct/2019:11:18:36 +0000] "GET 
> /manual/en/programs/httpd.html HTTP/1.1" 200 4155 "-" "Mozilla/5.0 
> (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36
> (KHTML, 
> like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
> Googlebot/2.1; +http://www.google.com/bot.html)"
> 221.231.126.2 - - [29/Oct/2019:12:04:26 +0000] "GET / HTTP/1.1" 200 
> 11003 "http://65.99.217.144:80"; "Mozilla/4.0 (compatible; MSIE 9.0; 
> Windows NT 6.1)"
> 66.249.65.211 - - [29/Oct/2019:12:34:45 +0000] "GET 
> /manual/es/mod/mod_socache_shmcb.html HTTP/1.1" 200 2631 "-" 
> "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
> Safari/537.36 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)"
> 213.6.199.106 - - [29/Oct/2019:13:14:16 +0000] "GET / HTTP/1.1" 200 
> 10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
> 93.170.112.67 - - [29/Oct/2019:13:25:06 +0000] "GET / HTTP/1.1" 200 
> 10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
> 109.116.119.16 - - [29/Oct/2019:13:45:28 +0000] "POST 
> /editBlackAndWhiteList HTTP/1.1" 404 367 "-" "ApiTool"
> 193.224.40.254 - - [29/Oct/2019:13:51:06 +0000] "-" 408 0 "-" "-"
> 66.249.65.211 - - [29/Oct/2019:14:07:45 +0000] "GET 
> /manual/es/mod/mod_lbmethod_bytraffic.html HTTP/1.1" 200 3206 "-" 
> "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
> Safari/537.36 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)"
> 66.249.65.209 - - [29/Oct/2019:15:21:55 +0000] "GET 
> /manual/en/mod/mod_version.html HTTP/1.1" 200 3612 "-" "Mozilla/5.0 
> (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36
> (KHTML, 
> like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
> Googlebot/2.1; +http://www.google.com/bot.html)"
> 
> 
> That last line seems to be the only relevant one, based on times.
> The 
> browser, oddly shown to be for Android 6.0.1, is really Waterfox for 
> Linux. (?) Just for comparison I tried the same thing from Chromium 
> under Debian Buster.
> 
> 66.249.65.209 - - [29/Oct/2019:15:21:55 +0000] "GET 
> /manual/en/mod/mod_version.html HTTP/1.1" 200 3612 "-" "Mozilla/5.0 
> (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36
> (KHTML, 
> like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
> Googlebot/2.1; +http://www.google.com/bot.html)"
> 
> Still no idea why it is downloading rather than interpreting the PHP.
> 
> Thank you, Xaver.
> 
> --
> Carl Fink nitpicking@nitpicking.com
> Read my blog at blog.nitpicking.com. Reviews! Observations!
> 

Can You look into Apache error log(s)? Syslog?

Anybody did anything in this server when this was happen?
Reply to: