Analyzing Suspicious HTTP Requests to Local WAMP Server: Bot Traffic Patterns and Security Mitigation


4 views

The access logs reveal two distinct patterns of suspicious activity targeting your WAMP server:

// Pattern 1: Proxy Checking Requests
58.218.199.250 - "GET http://www.verysurf.com/proxyheader.php"
58.218.199.147 - "GET http://www.travelimgusa.com/ip.php"
58.218.199.250 - "GET http://61.152.144.145/judge.php"

// Pattern 2: Admin Interface Probing
200.196.48.40 - "GET /admin/index.php"
200.196.48.40 - "GET /phpmyadmin/index.php"
200.196.48.40 - "GET /mysqladmin/index.php"

The IPs originate from known high-risk regions:

  • 58.218.199.x - China (AS4134 CHINANET-BACKBONE)
  • 200.196.48.x - Brazil (AS26599 TELEFÔNICA BRASIL)
  • 77.73.69.x - Russia (AS9009 M247 Ltd)

Add this to your Apache configuration:

<IfModule mod_rewrite.c>
RewriteEngine On

# Block suspicious user agents
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python-urllib|curl|scan|java|spider) [NC]
RewriteRule .* - [F,L]

# Block proxy checking URLs
RewriteCond %{QUERY_STRING} (proxyheader|judge|ip\.php) [NC]
RewriteRule .* - [F,L]

# Protect admin interfaces
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteRule ^(phpmyadmin|admin|mysql) - [F,L]
</IfModule>

Create a simple PHP script to log and analyze requests:

<?php
$suspicious_patterns = [
    '/\/manager\/html/',
    '/proxyheader\.php/',
    '/judge\.php/',
    '/phpmyadmin/',
    '/\/admin\//'
];

$request_uri = $_SERVER['REQUEST_URI'];
$remote_addr = $_SERVER['REMOTE_ADDR'];

foreach ($suspicious_patterns as $pattern) {
    if (preg_match($pattern, $request_uri)) {
        $log_entry = date('Y-m-d H:i:s') . " - $remote_addr - $request_uri\n";
        file_put_contents('suspicious.log', $log_entry, FILE_APPEND);
        break;
    }
}
?>
  • Bind to localhost only: Edit httpd.conf with Listen 127.0.0.1:80
  • Change default ports: Use non-standard ports for services
  • Implement IP whitelisting:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.0/24 # Your local network

While this traffic is common for exposed servers, immediate action is needed if you observe:

POST requests to admin interfaces
Repeated failed authentication attempts
Unusual SQL queries in logs
Requests containing ".." or "%00" sequences

When you leave a WAMP (Windows, Apache, MySQL, PHP) server exposed to the internet, automated bots and crawlers will inevitably discover it. The access logs you've shared show classic patterns of malicious scanning:

// Example of suspicious requests from your logs
58.218.199.250 - - [29/Apr/2012:10:03:53 -0700] "GET http://61.152.144.145/judge.php HTTP/1.1" 200 1355
200.196.48.40 - - [28/Apr/2012:16:12:38 -0700] "GET /phpmyadmin/index.php HTTP/1.1" 403 222

The requests fall into two main categories:

1. Proxy Checking Scripts

The Chinese IPs (58.218.199.*) are testing proxy servers by requesting judge.php scripts from various domains. These are likely compromised servers being used as proxies.

// Typical proxy checking pattern
GET http://target-domain.com/proxy/judge.php HTTP/1.1

2. Admin Interface Scanning

The Brazilian IP (200.196.48.40) is systematically probing for common admin interfaces like phpMyAdmin, attempting to find unprotected database management tools.

// Common admin path probing sequence
GET /admin/index.php
GET /phpmyadmin/index.php
GET /mysqladmin/index.php

Here's how to secure your WAMP server:

1. Restrict Apache Access

Edit your httpd.conf to limit access:

# In httpd.conf or virtual host configuration
<Directory "c:/wamp/www/">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
    # Add your specific IP if needed
    Allow from 192.168.1.100
</Directory>

2. Secure phpMyAdmin

Add basic authentication to phpMyAdmin:

# In phpmyadmin.conf
<Directory "c:/wamp/apps/phpmyadmin4.1.14/">
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile c:/wamp/bin/apache/apache2.4.23/bin/.htpasswd
    Require valid-user
</Directory>

3. Implement Fail2Ban (Windows Alternative)

Create a simple batch script to block repeated offenders:

@echo off
:: Simple IP blocker for Windows
set LOGFILE=C:\wamp\logs\access.log
set BADIPS=C:\wamp\bin\apache\apache2.4.23\conf\blocked_ips.conf

:: Find and block IPs with more than 10 failed attempts
findstr /R /C:" 404 " /C:" 403 " %LOGFILE% | awk "{print $1}" | sort | uniq -c | sort -nr | findstr /R /C:"^ *[0-9][0-9] " > %TEMP%\badips.txt

for /F "tokens=2" %%i in (%TEMP%\badips.txt) do (
    echo "Deny from %%i" >> %BADIPS%
)

1. Use a Firewall

Configure Windows Firewall to only allow WAMP ports (80, 443) from trusted networks:

netsh advfirewall firewall add rule name="WAMP HTTP" dir=in action=allow protocol=TCP localport=80 remoteip=192.168.1.0/24
netsh advfirewall firewall add rule name="WAMP HTTPS" dir=in action=allow protocol=TCP localport=443 remoteip=192.168.1.0/24

2. Regular Log Monitoring

Create a PowerShell script to analyze suspicious activity:

# PowerShell log analyzer
$logPath = "C:\wamp\logs\access.log"
$suspiciousPatterns = @(
    "manager/html",
    "proxy/judge.php",
    "phpmyadmin",
    "wp-admin",
    "xmlrpc.php"
)

Get-Content $logPath | Where-Object {
    $line = $_
    $suspiciousPatterns | Where-Object { $line -match $_ }
} | Group-Object { ($_ -split ' ')[0] } | Sort-Object Count -Descending

3. Consider Using a VPN

Instead of exposing WAMP directly, set up OpenVPN for secure remote access:

# Sample OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3