Apache access_log and connectivity.php ping?

ndrw · October 8, 2008, 12:23am

Hi,

After having a quick look at our apache access_log there are many http requests which seem unusual…what is the purpose of these and why do these happen so regularly?

Apache access_log:

[quote]XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:01 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”

XXX.XXX.XXX.X - - [08/Oct/2008:10:03:05 +1000] “HEAD /__lib/web/connectivity.php HTTP/1.0” 200 - “-” “PEAR HTTP_Request class ( http://pear.php.net/ )”[/quote]

There are a lot more of these in quick succession afterwards as well. Does anyone have the same requests in their logs?

gsherwood · October 8, 2008, 2:48am

Are you running a linking report?

ndrw · October 8, 2008, 3:18am

No linking reports are running, or have been run recently - what else could be making the call? Looks like some kind of infinite or crashed loop. digging a little deeper, it is actually only happening on a single node in a cluster.In the squid log there is also the request for each matching apache request (we aren't caching _lib):

[quote]XXX.XXX.XX.XX - - [08/Oct/2008:13:11:03 +1000] “HEAD http://server-1-proxy.com.au/__lib/web/connectivity.php HTTP/1.1” 200 339 TCP_MISS:DEFAULT_PARENT[/quote]

Very strange, the request has been constant for at least a day.

ndrw · October 8, 2008, 4:14am

I have stopped it now, looks like we have found a potential security hole/exploit.

gsherwood · October 8, 2008, 6:53am

That file is only ever used internally by Matrix to test external URLs. Maybe someone is trying to spam you with it or something.

I'm not sure what sort of security hole that file would have in it. It only validates URLs and doesn't actually load any part of Matrix.

kylebuttress · October 8, 2008, 9:23pm

If there is any potential for a spam or hack tool to take advantage of this page (which there is), it should be checked.

gsherwood · October 8, 2008, 9:49pm

The file has been checked and I don't see any potential hack. Like I said, it also sits entirely outside of Matrix, so it doesn't even connect to the Matrix DB. There are many files in __lib and __fudge that are public in Matrix installs and any one of them could also be repeatably requested like this. Repeated requests to a public file does not make it vulnerable.

ndrw · October 8, 2008, 10:48pm

I agree it isn't a problem in anything being directly exploited from this file, it looks like the call originated probably from a form, something 'weird' happened and there was an infinite loop calling connectivity.php - it basically ground the server to a halt.

thanks

Colin_Macdonald · October 13, 2008, 8:31am

Unless you specifically require this page to be accessible externally, we would recommend blocking access to this file by default and allowing only specific addresses to connect to it.

kylebuttress · October 13, 2008, 9:48pm

Is this use and purpose of this file documented anywhere? If there is a potential risk it would be nice to what can affect it.

gsherwood · October 13, 2008, 9:55pm

The purpose of the file is documented in the file itself. The comment says "Page to test remote connectivity. Purpose: Check if a remote page exists (returns 200 OK)" It's really that simple.

ndrw · October 14, 2008, 3:28am

Good idea.

The issue is with specially crafted urls, such as

    http://host.com.au/__lib/web/connectivity.php?connect_url=http://host.com.au/__lib/web/connectivity.php?

If that url is accessed by anything, the script will run forever, and very quickly. I have tested this with machine names in place of 'host', but not a top level domain.

Luke_Wright · October 15, 2008, 1:11am

In terms of use within Matrix, the place that uses it is the "Auto-Test" feature of the backend interface for the URL attribute type, to check whether the URL that you have entered points to something that exists.

For what it's worth, it's relatively not-new; this feature has been there since 3.8. I'm not sure where within Matrix this is being used as an asset attribute, however for those with 3.14+ systems, it is used in the Comment asset's user preferences, for the "Rated Image/Blank Image" selection interface.