topic Re: Alien traffic through my server in Operating System - Linux

Alien traffic through my server

Vernon Brown_3 — Fri, 06 Jun 2003 16:40:07 GMT

In my Apache log file I see thousands of entries like the following:

202.102.138.28 - - [01/Jun/2003:04:02:52 -0500] "GET http://ad.doubleclick.net/adi/N1684.TMP.com/B1151947.27;sz=720x300;ord=2470014? HTTP/1.1" 200 3303 "http://www.entwww.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
211.94.204.40 - - [01/Jun/2003:04:13:57 -0500] "GET http://ad.doubleclick.net/ad/max.travelrate/ros;sz=468x60;ord='%20+%20ord%20+%20'? HTTP/1.0" 302 0 "http://www.travelrate.co.uk/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

Neither the source nor destination are on my server. Does anyone know how this can happen, or better yet, how to stop it.

Re: Alien traffic through my server

Jordan Bean — Fri, 06 Jun 2003 22:24:43 GMT

Sounds like mod_proxy is wide open. Disable it entirely if you can.

If you are using Tomcat backends without the AJP connector, then simply set ProxyRequest Off since it is not needed for ProxyPass.

Re: Alien traffic through my server

Vernon Brown_3 — Fri, 06 Jun 2003 22:34:44 GMT

Yes; mod-proxy was wide open. I need Apache to act as a proxy server for my LAN, but didn't restrict it to my LAN. I'll try to do that.

Thanks

Re: Alien traffic through my server

Jordan Bean — Fri, 06 Jun 2003 22:49:01 GMT

Apache2?

ProxyRequests On

Order deny,allow
Deny from all
Allow from ...

Re: Alien traffic through my server

Vernon Brown_3 — Sat, 07 Jun 2003 01:45:09 GMT

Worked great after a couple of tries!! I am now seeing many access denied proxy requests coming from all over.

Makes me wonder what benifit they get from using my server as a proxy.

Re: Alien traffic through my server

U.SivaKumar_2 — Sat, 07 Jun 2003 02:08:17 GMT

Hi,

Being a ethical hacker I hope I can answer.

I want to attack Victim's webserver through some browser.

i want to use directory transversal exploit or chucked encoding exploit etc .

i know that the victim's server is certainly vulnerable for the above exploits.

I want to hide my real IP address logged in victim's firewall or Webserver. So what I will do is to connect normally to Internet thru some dialin account ( DHCP setup do more good to hackers ). Set the Proxy settings of my Internet browser to point your open proxy.

Now thru my browser i connect to www.victim.com
and work out my attacks or espionage the victim's cgi scripts , OS platform , etc..

your Proxy server will relay my HTTP request packets to victims web server with your own source IP. So my IP address is hidden from the victim's log files. But your open proxy's IP address will be logged in victims log files.

So this open proxies are selected across countries. I will remain untraceable to a greatest extentt mostly because of factors like Political Restrictions , lack of different ISP co-ordination etc..

regards,

U.SivaKumar

Disclaimer: I shall not be liable for any security breach caused by the reader of this thread. This reply is in good faith meant to enlighten the innocents.

Re: Alien traffic through my server

John Collier — Sun, 08 Jun 2003 19:41:17 GMT

Vernon,

I guess you don???t see the beauty of what U.SivaKumar has done for you by posting that reply.

It???s just my humble, uneducated opinion, but I think you really did him an injustice by giving him a single point only for that explanation.

Sorry, I know you didn???t ask for my input on this. I just can???t help but voice my thoughts on this one.

BTW -- Please assign me a 0 for this post. I just wanted to vent???

Have a nice day...

Re: Alien traffic through my server

Vernon Brown_3 — Sun, 08 Jun 2003 21:07:17 GMT

You are right of course. I thought I clicked a 10 but when it came up it was a 1. Since I didn't know how to change it other than to get him to re-post I let it go.

Sorry about that; I'll try to do better.

Vern

Re: Alien traffic through my server

Steven E. Protter — Sun, 08 Jun 2003 21:50:59 GMT

I have a recommendation.

Install iptables immediately.

Keep only those ports open necessary to the operation of your web server.

The following iptables configuration which can be modified and installed in the file /etc/sysconfig/iptables can provide stately proxy services to an entire network while keeping most ports secure.

Modify the config to work with your own network.

I will insert # changeme's above the lines you MUST change.

# Generated by iptables-save v1.2.5 on Sun Oct 20 02:43:53 2002
*nat
:PREROUTING ACCEPT [11:792]
:POSTROUTING ACCEPT [31:2763]
:OUTPUT ACCEPT [31:2763]
-A POSTROUTING -o eth0 -j
# changeme to your network
SNAT --to-source 66.92.143.194
COMMIT
# Completed on Sun Oct 20 02:43:53 2002
# Generated by iptables-save v1.2.5 on Sun Oct 20 02:43:53 2002
*filter
:INPUT ACCEPT [30:2771]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:3507]
:okay - [0:0]
# changeme to your network
-A INPUT -s 192.168.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
# changeme to your network
-A INPUT -s 66.92.143.194 -i lo -j ACCEPT
# changeme to your network
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
# changeme to your network
-A INPUT -s 192.168.0.255 -i lo -j ACCEPT
# changeme to your network
-A INPUT -d 66.92.143.221 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 123 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
COMMIT
# Completed on Sun Oct 20 02:43:53 2002

This came off my production SNAT server which is also my backup web server for my 24/7 web hosting business.

SEP

Re: Alien traffic through my server

Vernon Brown_3 — Mon, 09 Jun 2003 12:50:43 GMT

I am using IPchains with similar restrictions to your suggestion. So far the alien traffic is blocked. It seems to be coming from search engines. One; tencent.com out of China was hitting my proxy server thousands of times a day. As soon as I restricted my mod_proxy tencent.com stopped hitting my server. This leads me to think that some search engines automatically scan for open proxy's and exploit them.

Re: Alien traffic through my server

Jerome Henry — Mon, 09 Jun 2003 14:54:26 GMT

You are right !
What is worse, there are lists of opened proxies available at hack sites. SivaKumar really gave you a good advice.
Check in any google 'public proxy' (or proxies) + your public IP, you'll certainly get several sites referencing yours.
There are autoscanners, but they also have webmaster. My advice is to send them a mail asking firmly to remove your IP from the list.
Lats time I had this issue, I warned them that if I hadn't been removed within 2 working days, I would set up a script to flood their IP every time I would be proxy used. Afraid or not, it worked.
Tencent seems to be a normal company, but they may be used as relay from mainland China to scan the rest of the world.
hth
J