Results 1 to 10 of 10
  1. #1

    Apache server compromised?

    Hi,

    Let me preface this by saying that I'm not a linux guru, or even really an administrator, but because of various shufflings of staff, reorgs and resignations, I'm now responsible for the web server, at least for the time being.

    This is running some version of Linux and Apache, but I don't know what versions, or how to get the versions. The potential problem I've discovered is that in the log files, we are seeing GET requests for completely external websites. Why would this be? Here is a sample of what our logs look like:

    I don't have 5 posts so it won't let me post the log. I'll try to post it below!

    Note that none of those sites are ones that we are supposed to be serving up. Are we being used as a proxy server? What can we do to block this, if it is in fact a problem?

  2. #2
    Let's see if I can post it now:

    61.138.238.206 - - {20/Nov/2005:04:02:11 -0500} "GET http://oz.valueclick.com/cycle?host=...;msizes=728x90 HTTP/1.0" 404 329 "http://www.usa.com/" "Mozilla/4.0 (compatible; MSIE 5.02; Windows 95)"
    201.145.131.159 - - {20/Nov/2005:04:02:11 -0500} "GET http://l10.login.scd.yahoo.com/confi...sswd=Password1 HTTP/1.0" 404 336 "-" "-"
    69.148.190.220 - - {20/Nov/2005:04:02:18 -0500} "GET http://l10.login.scd.yahoo.com/confi...sswd=Password1 HTTP/1.0" 404 336 "-" "-"
    61.138.238.206 - - {20/Nov/2005:04:02:19 -0500} "GET http://oz.valueclick.com/cycle?host=...;msizes=728x90 HTTP/1.0" 404 329 "http://www.radio.fm/search.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    61.138.238.206 - - {20/Nov/2005:04:02:34 -0500} "GET http://oz.valueclick.com/cycle?host=...;msizes=728x90 HTTP/1.0" 404 329 "http://www.dogomania.com/" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
    71.65.195.47 - - [20/Nov/2005:04:03:08 -0500] "GET http://data.alexa.com/data/Pq3b012ef...fficbroker.com HTTP/1.0" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
    71.65.195.47 - - [20/Nov/2005:04:03:08 -0500] "GET http://www.realtrafficbroker.com HTTP/1.0" 200 25579 "-" "-"
    www.caprica.com - - [20/Nov/2005:04:03:32 -0500] "GET http://www.starmatch.com/cgi-bin/hor...?md=info&sgn=1 HTTP/1.0" 404 345 "-" "-"
    Last edited by boxmonkey; 11-22-2005 at 04:57 PM.

  3. #3
    Join Date
    Sep 2005
    Posts
    86
    I think that's just the proxy probe scripts scanning. Not to be concerned.

  4. #4
    Proxy probe scripts? What's that?

  5. #5
    Join Date
    Nov 2005
    Posts
    352
    Quote Originally Posted by boxmonkey
    Proxy probe scripts? What's that?
    Various scripts/worms are testing your apache setup to see if it is vulnerable enough for them to use your server to hide their attacks on other servers. The "404" (i.e., the status code) that you see on each line (after the "HTTP/1.0") shows that your apache setup denied the script access.

  6. #6
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    Its the same concept as leaving ssh bound to port 22 - if you check the logs you can see multiple attempts from various ip ranges trying to gain root access, or even trying to log in with bogus use names like 'suzie'

  7. #7
    Not to make Suzies everywhere feel 'bogus' and un wanted..

    "or even trying to log in with bogus use names like 'suzie' "
    Whats bogus about suzie as a name ?

  8. #8
    Join Date
    Mar 2003
    Location
    England
    Posts
    54
    Indeed! I have lots of users called suzie... (not)

    Alphanumeric usernames all the way!

    Oh and huzzah to non-standard ssh ports

  9. #9
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Most all Apache requests use either "GET" or "POST" so that is not unusual. Hopefully there has been some Server hardening done though, because when (not if) you get a probe that finds an insecure Form script or something else vunerable, they are going to use a "GET" and insert their script on your Server.

    Could be their script will be used to send Spam from your Server, so you'll take the heat for any backlash, or could be their script will 'root' your Server. Then you're looking at an OS reinstall and downtime for the Server -- not good.

    Be pro-active and verify that somebody has done something to beef up Server security, else have it done ASAP.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  10. #10
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    First of all. Thanks for makin me look like the bad guy -.- lol. Second of all I think rack911 can do a good amount of hardening for not too high of a price. I think they do apache hardening, but don't quote me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •