Malicious redirection in Varnish?

Dariusz W dariuszwu at yahoo.com
Wed Jun 15 07:52:01 CEST 2016 

Hi,
I've installed Varnish 4.1.2 about two weeks ago on Centos 6. A week later some of my domains, top levels only '/', became redirected to amazon site. Subdirectories don't seem to be affected.Flushing url removes redirection for day o two until the next time.
Source code was scanned against any malicious code with no positives. As well I cannot find anything suspicious in logs, no varnish commands in syslog, not much in apache and varnish logs. Passwords were changed. The issue occurs on two different vps servers with exact the same source code.
X-Forwarded-For and mod_remoteip are used to get client IPs.
Before installing Varnish, all domains were online for about two years with no issues.
Below are three requests from varnishlog showing affected domain. First is HEAD request from my script monitoring website, Age 0, returning status code 200. The next one where status code was changed to 302 and redirects traffic to amazon site, Age 0.And the last one, my status monitoring HEAD request returning 302 and Age 17, which means page is delivered from cache.
I got two opinions so far that such behaviour is not possible in Varnish level, and must be triggered by some software.After a week I have no idea what else I can do so any suggestions are appreciated.
Thank you,Derek

*   << Request  >> 1218382   -   Begin          req 1218381 rxreq-   Timestamp      Start: 1465944871.292117 0.000000 0.000000-   Timestamp      Req: 1465944871.292117 0.000000 0.000000-   ReqStart       1.2.3.4 39668-   ReqMethod      HEAD-   ReqURL         /-   ReqProtocol    HTTP/1.1-   ReqHeader      User-Agent: Firefox-   ReqHeader      Host: www.example.com-   ReqHeader      Accept: */*-   ReqHeader      X-Forwarded-For: 1.2.3.4-   VCL_call       RECV-   VCL_acl        NO_MATCH forbidden_ip-   ReqHeader      X-Device: pc-   ReqHeader      Cookie: -   ReqUnset       Cookie: -   ReqUnset       Host: www.example.com-   ReqHeader      host: www.example.com-   VCL_acl        NO_MATCH allowed_ip-   VCL_return     hash-   VCL_call       HASH-   VCL_return     lookup-   Debug          "XXXX HIT-FOR-PASS"-   HitPass        1218341-   VCL_call       PASS-   VCL_return     fetch-   Link           bereq 1218383 pass-   Timestamp      Fetch: 1465944871.779680 0.487563 0.487563-   RespProtocol   HTTP/1.1-   RespStatus     200-   RespReason     OK-   RespHeader     Date: Tue, 14 Jun 2016 22:54:31 GMT-   RespHeader     Server: Apache-   RespHeader     Set-Cookie: PHPSESSID=db67f651e1635d1163145b49622a1639; path=/-   RespHeader     Expires: Thu, 19 Nov 1981 08:52:00 GMT-   RespHeader     Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0-   RespHeader     Pragma: no-cache-   RespHeader     Content-Type: text/html; charset=utf-8-   RespHeader     X-Varnish: 1218382-   RespHeader     Age: 0-   RespHeader     Via: 1.1 varnish-v4-   VCL_call       DELIVER-   VCL_return     deliver-   Timestamp      Process: 1465944871.779733 0.487616 0.000054-   RespHeader     Accept-Ranges: bytes-   Debug          "RES_MODE 0"-   RespHeader     Connection: keep-alive-   Timestamp      Resp: 1465944871.779789 0.487672 0.000056-   ReqAcct        81 0 81 408 0 408-   End            


*   << Request  >> 2296119   -   Begin          req 2296117 rxreq-   Timestamp      Start: 1465944914.191716 0.000000 0.000000-   Timestamp      Req: 1465944914.191716 0.000000 0.000000-   ReqStart       100.43.91.12 48042-   ReqMethod      GET-   ReqURL         /-   ReqProtocol    HTTP/1.1-   ReqHeader      Host: www.example.com-   ReqHeader      Connection: Keep-Alive-   ReqHeader      user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)-   ReqHeader      from: support at search.yandex.ru-   ReqHeader      Accept-Encoding: gzip,deflate-   ReqHeader      Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, *;q=0.01-   ReqHeader      Accept: */*-   ReqHeader      X-Forwarded-For: 100.43.91.12-   VCL_call       RECV-   VCL_acl        NO_MATCH forbidden_ip-   ReqHeader      X-Device: pc-   ReqHeader      Cookie: -   ReqUnset       Cookie: -   ReqUnset       Host: www.example.com-   ReqHeader      host: www.example.com-   VCL_acl        NO_MATCH allowed_ip-   VCL_return     hash-   ReqUnset       Accept-Encoding: gzip,deflate-   ReqHeader      Accept-Encoding: gzip-   VCL_call       HASH-   VCL_return     lookup-   VCL_call       MISS-   VCL_return     fetch-   Link           bereq 2296120 fetch-   Timestamp      Fetch: 1465944914.200088 0.008372 0.008372-   RespProtocol   HTTP/1.1-   RespStatus     302-   RespReason     Found-   RespHeader     Date: Tue, 14 Jun 2016 22:55:14 GMT-   RespHeader     Server: Apache-   RespHeader     Cache-Control: max-age=2592000-   RespHeader     Expires: Thu, 14 Jul 2016 22:55:14 GMT-   RespHeader     Content-Length: 205-   RespHeader     Content-Type: text/html; charset=iso-8859-1-   RespHeader     Location: http://www.amazon.com-   RespHeader     X-Varnish: 2296119-   RespHeader     Age: 0-   RespHeader     Via: 1.1 varnish-v4-   VCL_call       DELIVER-   VCL_return     deliver-   Timestamp      Process: 1465944914.200132 0.008417 0.000044-   Debug          "RES_MODE 2"-   RespHeader     Connection: keep-alive-   Timestamp      Resp: 1465944914.200198 0.008483 0.000066-   ReqAcct        285 0 285 319 205 524-   End            


*   << Request  >> 2296134   -   Begin          req 2296133 rxreq-   Timestamp      Start: 1465944930.719179 0.000000 0.000000-   Timestamp      Req: 1465944930.719179 0.000000 0.000000-   ReqStart       70.27.178.167 39686-   ReqMethod      HEAD-   ReqURL         /-   ReqProtocol    HTTP/1.1-   ReqHeader      User-Agent: Firefox-   ReqHeader      Host: www.example.com-   ReqHeader      Accept: */*-   ReqHeader      X-Forwarded-For: 70.27.178.167-   VCL_call       RECV-   VCL_acl        NO_MATCH forbidden_ip-   ReqHeader      X-Device: pc-   ReqHeader      Cookie: -   ReqUnset       Cookie: -   ReqUnset       Host: www.example.com-   ReqHeader      host: www.example.com-   VCL_acl        NO_MATCH allowed_ip-   VCL_return     hash-   VCL_call       HASH-   VCL_return     lookup-   Hit            2296120-   VCL_call       HIT-   VCL_return     deliver-   RespProtocol   HTTP/1.1-   RespStatus     302-   RespReason     Found-   RespHeader     Date: Tue, 14 Jun 2016 22:55:14 GMT-   RespHeader     Server: Apache-   RespHeader     Cache-Control: max-age=2592000-   RespHeader     Expires: Thu, 14 Jul 2016 22:55:14 GMT-   RespHeader     Content-Length: 205-   RespHeader     Content-Type: text/html; charset=iso-8859-1-   RespHeader     Location: http://www.amazon.com-   RespHeader     X-Varnish: 2296134 2296120-   RespHeader     Age: 17-   RespHeader     Via: 1.1 varnish-v4-   VCL_call       DELIVER-   VCL_return     deliver-   Timestamp      Process: 1465944930.719297 0.000118 0.000118-   Debug          "RES_MODE 0"-   RespHeader     Connection: keep-alive-   Timestamp      Resp: 1465944930.719347 0.000169 0.000051-   ReqAcct        81 0 81 328 0 328-   End            
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20160615/01104e89/attachment-0001.html>

More information about the varnish-misc mailing list