HPE Community
Operating System - Linux
1752782 Members
5812 Online
108789 Solutions
New Discussion юеВ

Alien traffic through my server

 
SOLVED
Go to solution
Vernon Brown_3
Advisor

тАО06-06-2003 09:40 AM

тАО06-06-2003 09:40 AM

Alien traffic through my server

In my Apache log file I see thousands of entries like the following:

202.102.138.28 - - [01/Jun/2003:04:02:52 -0500] "GET http://ad.doubleclick.net/adi/N1684.TMP.com/B1151947.27;sz=720x300;ord=2470014? HTTP/1.1" 200 3303 "http://www.entwww.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
211.94.204.40 - - [01/Jun/2003:04:13:57 -0500] "GET http://ad.doubleclick.net/ad/max.travelrate/ros;sz=468x60;ord='%20+%20ord%20+%20'? HTTP/1.0" 302 0 "http://www.travelrate.co.uk/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

Neither the source nor destination are on my server. Does anyone know how this can happen, or better yet, how to stop it.
0 Kudos
Reply
10 REPLIES 10
Jordan Bean
Honored Contributor

тАО06-06-2003 03:24 PM

тАО06-06-2003 03:24 PM

Solution

Re: Alien traffic through my server

Sounds like mod_proxy is wide open. Disable it entirely if you can.

If you are using Tomcat backends without the AJP connector, then simply set ProxyRequest Off since it is not needed for ProxyPass.

Reply
Vernon Brown_3
Advisor

тАО06-06-2003 03:34 PM

тАО06-06-2003 03:34 PM

Re: Alien traffic through my server

Yes; mod-proxy was wide open. I need Apache to act as a proxy server for my LAN, but didn't restrict it to my LAN. I'll try to do that.

Thanks
0 Kudos
Reply
Jordan Bean
Honored Contributor

тАО06-06-2003 03:49 PM

тАО06-06-2003 03:49 PM

Re: Alien traffic through my server

Apache2?

ProxyRequests On

Order deny,allow
Deny from all
Allow from ...


Reply
Vernon Brown_3
Advisor

тАО06-06-2003 06:45 PM

тАО06-06-2003 06:45 PM

Re: Alien traffic through my server

Worked great after a couple of tries!! I am now seeing many access denied proxy requests coming from all over.

Makes me wonder what benifit they get from using my server as a proxy.
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО06-06-2003 07:08 PM

тАО06-06-2003 07:08 PM

Re: Alien traffic through my server

Hi,

Being a ethical hacker I hope I can answer.

I want to attack Victim's webserver through some browser.

i want to use directory transversal exploit or chucked encoding exploit etc .

i know that the victim's server is certainly vulnerable for the above exploits.

I want to hide my real IP address logged in victim's firewall or Webserver. So what I will do is to connect normally to Internet thru some dialin account ( DHCP setup do more good to hackers ). Set the Proxy settings of my Internet browser to point your open proxy.

Now thru my browser i connect to www.victim.com
and work out my attacks or espionage the victim's cgi scripts , OS platform , etc..

your Proxy server will relay my HTTP request packets to victims web server with your own source IP. So my IP address is hidden from the victim's log files. But your open proxy's IP address will be logged in victims log files.

So this open proxies are selected across countries. I will remain untraceable to a greatest extentt mostly because of factors like Political Restrictions , lack of different ISP co-ordination etc..

regards,

U.SivaKumar

Disclaimer: I shall not be liable for any security breach caused by the reader of this thread. This reply is in good faith meant to enlighten the innocents.


Innovations are made when conventions are broken
0 Kudos
Reply
John Collier
Esteemed Contributor

тАО06-08-2003 12:41 PM

тАО06-08-2003 12:41 PM

Re: Alien traffic through my server

Vernon,

I guess you don???t see the beauty of what U.SivaKumar has done for you by posting that reply.

It???s just my humble, uneducated opinion, but I think you really did him an injustice by giving him a single point only for that explanation.

Sorry, I know you didn???t ask for my input on this. I just can???t help but voice my thoughts on this one.


BTW -- Please assign me a 0 for this post. I just wanted to vent???

Have a nice day...
"I expect to pass through this world but once. Any good, therefore, that I can do, or any kindness that I can show to any human being, let me do it now. Let me not defer or neglect it, for I shall not pass this way again." Stephen Krebbet, 1793-1855
Reply
Vernon Brown_3
Advisor

тАО06-08-2003 02:07 PM

тАО06-08-2003 02:07 PM

Re: Alien traffic through my server

You are right of course. I thought I clicked a 10 but when it came up it was a 1. Since I didn't know how to change it other than to get him to re-post I let it go.

Sorry about that; I'll try to do better.

Vern
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО06-08-2003 02:50 PM

тАО06-08-2003 02:50 PM

Re: Alien traffic through my server

I have a recommendation.

Install iptables immediately.

Keep only those ports open necessary to the operation of your web server.

The following iptables configuration which can be modified and installed in the file /etc/sysconfig/iptables can provide stately proxy services to an entire network while keeping most ports secure.

Modify the config to work with your own network.


I will insert # changeme's above the lines you MUST change.

# Generated by iptables-save v1.2.5 on Sun Oct 20 02:43:53 2002
*nat
:PREROUTING ACCEPT [11:792]
:POSTROUTING ACCEPT [31:2763]
:OUTPUT ACCEPT [31:2763]
-A POSTROUTING -o eth0 -j
# changeme to your network
SNAT --to-source 66.92.143.194
COMMIT
# Completed on Sun Oct 20 02:43:53 2002
# Generated by iptables-save v1.2.5 on Sun Oct 20 02:43:53 2002
*filter
:INPUT ACCEPT [30:2771]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:3507]
:okay - [0:0]
# changeme to your network
-A INPUT -s 192.168.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
# changeme to your network
-A INPUT -s 66.92.143.194 -i lo -j ACCEPT
# changeme to your network
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
# changeme to your network
-A INPUT -s 192.168.0.255 -i lo -j ACCEPT
# changeme to your network
-A INPUT -d 66.92.143.221 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 123 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
COMMIT
# Completed on Sun Oct 20 02:43:53 2002



This came off my production SNAT server which is also my backup web server for my 24/7 web hosting business.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Vernon Brown_3
Advisor

тАО06-09-2003 05:50 AM

тАО06-09-2003 05:50 AM

Re: Alien traffic through my server

I am using IPchains with similar restrictions to your suggestion. So far the alien traffic is blocked. It seems to be coming from search engines. One; tencent.com out of China was hitting my proxy server thousands of times a day. As soon as I restricted my mod_proxy tencent.com stopped hitting my server. This leads me to think that some search engines automatically scan for open proxy's and exploit them.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.