# Apache probe sequence ends with OPTIONS from 127.0.0.1



## Uniballer (Mar 23, 2015)

Typical Apache web log below.  Somebody just probing (AKA twisting doorknobs).  But how about the very end where it reports OPTIONS requests from 127.0.0.1?  I do not think this is a coincidence, partly because these always occur right after a visible probe attempt.  How does the probe make this happen?  When I try OPTIONS from another local machine I don't get that.

```
5.135.167.145 - - [22/Mar/2015:17:34:19 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226
5.135.167.145 - - [22/Mar/2015:17:34:20 -0400] "GET /cgi-bin/php HTTP/1.1" 404 209
5.135.167.145 - - [22/Mar/2015:17:34:20 -0400] "GET / HTTP/1.1" 200 285
5.135.167.145 - - [22/Mar/2015:17:34:20 -0400] "GET /cgi-bin/bash HTTP/1.1" 404 210
5.135.167.145 - - [22/Mar/2015:17:34:21 -0400] "GET /cgi-bin/contact.cgi HTTP/1.1" 404 217
5.135.167.145 - - [22/Mar/2015:17:34:21 -0400] "GET /cgi-bin/defaultwebpage.cgi HTTP/1.1" 404 224
5.135.167.145 - - [22/Mar/2015:17:34:21 -0400] "GET /cgi-bin/env.cgi HTTP/1.1" 404 213
5.135.167.145 - - [22/Mar/2015:17:34:21 -0400] "GET /cgi-bin/fire.cgi HTTP/1.1" 404 214
5.135.167.145 - - [22/Mar/2015:17:34:22 -0400] "GET /cgi-bin/forum.cgi HTTP/1.1" 404 215
5.135.167.145 - - [22/Mar/2015:17:34:22 -0400] "GET /cgi-bin/hello.cgi HTTP/1.1" 404 215
5.135.167.145 - - [22/Mar/2015:17:34:22 -0400] "GET /cgi-bin/index.cgi HTTP/1.1" 404 215
5.135.167.145 - - [22/Mar/2015:17:34:22 -0400] "GET /cgi-bin/login.cgi HTTP/1.1" 404 215
5.135.167.145 - - [22/Mar/2015:17:34:23 -0400] "GET /cgi-bin/main.cgi HTTP/1.1" 404 214
5.135.167.145 - - [22/Mar/2015:17:34:23 -0400] "GET /cgi-bin/meme.cgi HTTP/1.1" 404 214
5.135.167.145 - - [22/Mar/2015:17:34:23 -0400] "GET /cgi-bin/php4 HTTP/1.1" 404 210
5.135.167.145 - - [22/Mar/2015:17:34:23 -0400] "GET /cgi-bin/php5 HTTP/1.1" 404 210
5.135.167.145 - - [22/Mar/2015:17:34:24 -0400] "GET /cgi-bin/php5-cli HTTP/1.1" 404 214
5.135.167.145 - - [22/Mar/2015:17:34:24 -0400] "GET /cgi-bin/recent.cgi HTTP/1.1" 404 216
5.135.167.145 - - [22/Mar/2015:17:34:24 -0400] "GET /cgi-bin/sat-ir-web.pl HTTP/1.1" 404 219
5.135.167.145 - - [22/Mar/2015:17:34:24 -0400] "GET /cgi-bin-sdb/printenv HTTP/1.1" 404 218
5.135.167.145 - - [22/Mar/2015:17:34:25 -0400] "GET /cgi-bin/test-cgi HTTP/1.1" 403 225
5.135.167.145 - - [22/Mar/2015:17:34:25 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 404 214
5.135.167.145 - - [22/Mar/2015:17:34:25 -0400] "GET /cgi-bin/test-cgi.pl HTTP/1.1" 404 217
5.135.167.145 - - [22/Mar/2015:17:34:25 -0400] "GET /cgi-bin/test.sh HTTP/1.1" 404 213
5.135.167.145 - - [22/Mar/2015:17:34:26 -0400] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 404 220
5.135.167.145 - - [22/Mar/2015:17:34:26 -0400] "GET /cgi-mod/index.cgi HTTP/1.1" 404 215
5.135.167.145 - - [22/Mar/2015:17:34:26 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224
5.135.167.145 - - [22/Mar/2015:17:34:26 -0400] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 223
5.135.167.145 - - [22/Mar/2015:17:34:27 -0400] "GET /cgi-sys/php5 HTTP/1.1" 404 210
5.135.167.145 - - [22/Mar/2015:17:34:27 -0400] "GET /phppath/cgi_wrapper HTTP/1.1" 404 217
5.135.167.145 - - [22/Mar/2015:17:34:27 -0400] "GET /phppath/php HTTP/1.1" 404 209
127.0.0.1 - - [22/Mar/2015:17:34:28 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [22/Mar/2015:17:34:29 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [22/Mar/2015:17:34:30 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [22/Mar/2015:17:34:31 -0400] "OPTIONS * HTTP/1.0" 200 -
```


----------



## SirDice (Mar 23, 2015)

The four "OPTIONS" requests at the end are from Apache itself. It's an internal check. They have nothing to do with the other requests and can be ignored.


----------



## Uniballer (Mar 23, 2015)

I have heard that, too.  But I only get them after a probing sequence (implying that they *do* have *some* relationship with the probes).  And I seem to get them after *every* probe sequence (but I have not fully confirmed that).  I can come up with many logs like that, ranging from one OPTIONS request to 15 (the most I have seen).  What triggers them?  Do you think its just the rapidity of the probe requests and so Apache tries to check its child processes?  I tried duplicating the stream of probe requests (in parallel) and I did not get the OPTIONS entry in the log.  I even tried tripling the probe sequence and it didn't happen.


----------



## Uniballer (Mar 23, 2015)

OK, it's not every probe sequence.  But it does seem to be every one that is something like this:

```
64.34.169.223 - - [21/Mar/2015:21:41:43 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226
64.34.169.223 - - [21/Mar/2015:21:41:43 -0400] "GET / HTTP/1.1" 200 285
64.34.169.223 - - [21/Mar/2015:21:41:43 -0400] "GET /cgi-bin/bash HTTP/1.1" 404 210
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/contact.cgi HTTP/1.1" 404 217
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/defaultwebpage.cgi HTTP/1.1" 404 224
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/env.cgi HTTP/1.1" 404 213
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/fire.cgi HTTP/1.1" 404 214
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/forum.cgi HTTP/1.1" 404 215
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/hello.cgi HTTP/1.1" 404 215
64.34.169.223 - - [21/Mar/2015:21:41:44 -0400] "GET /cgi-bin/index.cgi HTTP/1.1" 404 215
64.34.169.223 - - [21/Mar/2015:21:41:45 -0400] "GET /cgi-bin/login.cgi HTTP/1.1" 404 215
64.34.169.223 - - [21/Mar/2015:21:41:45 -0400] "GET /cgi-bin/main.cgi HTTP/1.1" 404 214
64.34.169.223 - - [21/Mar/2015:21:41:45 -0400] "GET /cgi-bin/meme.cgi HTTP/1.1" 404 214
64.34.169.223 - - [21/Mar/2015:21:41:45 -0400] "GET /cgi-bin/php HTTP/1.1" 404 209
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/php4 HTTP/1.1" 404 210
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/php5 HTTP/1.1" 404 210
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/php5-cli HTTP/1.1" 404 214
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/recent.cgi HTTP/1.1" 404 216
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/sat-ir-web.pl HTTP/1.1" 404 219
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin-sdb/printenv HTTP/1.1" 404 218
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/test-cgi HTTP/1.1" 403 225
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 404 214
64.34.169.223 - - [21/Mar/2015:21:41:46 -0400] "GET /cgi-bin/test-cgi.pl HTTP/1.1" 404 217
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-bin/test.sh HTTP/1.1" 404 213
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 404 220
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-mod/index.cgi HTTP/1.1" 404 215
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 223
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /cgi-sys/php5 HTTP/1.1" 404 210
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /phppath/cgi_wrapper HTTP/1.1" 404 217
64.34.169.223 - - [21/Mar/2015:21:41:47 -0400] "GET /phppath/php HTTP/1.1" 404 209
127.0.0.1 - - [21/Mar/2015:21:41:49 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:50 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:51 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:52 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:53 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:54 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:55 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:56 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:57 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:58 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:41:59 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:42:00 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:42:01 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:42:02 -0400] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2015:21:42:03 -0400] "OPTIONS * HTTP/1.0" 200 -
```
Again, I have not been able to duplicate the OPTIONS behavior.


----------



## protocelt (Mar 23, 2015)

This link information may be of interest and expand on SirDice's reply a bit.


----------



## SirDice (Mar 24, 2015)

The fact you're seeing them in close relation to the probes is just a mere coincidence. These "OPTIONS" requests come at very regular intervals and apparently so do the attacks on your server.

As the attacks all end up with a 404, there's nothing to worry about. I'd be more worried about attacks that don't show up in the log files. But it's good you are keeping an eye on it. It definitely pays off knowing what's out there.


----------

