Apache access.log: unauthorized user able to request files on my localhost dev machine

tommbr asked:

I have Apache2.4 installed on my dev PC (windows 10)

Viewing my Apache24\logs\access.log file, I noticed suspect entries such as:

www.-----.com - - [01/Jan/2018:10:45:19 -0200] "GET /SOME-PERSONAL-DEV-PROJECT/admin/ HTTP/1.1" 200 21061
www.-----.com - - [02/Jan/2018:07:04:00 -0200] "GET /phpmyadmin/sql.php?server=1&db=-----&table=-----&pos=0&token=ea
www.-----.com - - [02/Jan/2018:07:04:01 -0200] "GET /phpmyadmin/sql.php?server=1&db==-----&&table==-----&&pos=0&token=ea
www.-----.com - - [02/Jan/2018:07:04:08 -0200] "GET /phpmyadmin/index.php?ajax_request=1&recent_table=1&token=ea

I have ‘phpmyadmin’ on localhost and also ‘SOME-PERSONAL-DEV-PROJECT’ is another folder in my localhost for personal web dev stuff.

‘www.—–.com’ is a known ad network domain and I know they are related to shady stuff.

So in my httpd.conf file I have this config rule:

<Directory "c:/htdocs">
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    Options Indexes Includes FollowSymLinks

    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    AllowOverride All

    # Controls who can get stuff from this server.
    Require local

From my understanding, “Require local” would prevent anything that is not localhost to be able to make requests to the files in my local machine

So my question is, why is this domain apparently being successful in accessing files from my local dev machine?

My answer:

Those logs are showing your own requests to the web server.

We see from your comment that you said you added www.-----.com to the Windows hosts file.

Unfortunately, you have Apache configured to do reverse DNS lookups on IP addresses before logging them. Somewhere in your Apache configuration is:

HostnameLookups On

So, instead of logging, Apache logged www.-----.com, because when it did a hostname lookup on, that name was provided from the hosts file.

Change this to Off, and your logs will begin showing correct IP addresses again.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.