[techtalk] HELP! Webserver compromised?!?
jenn at simegen.com
jenn at simegen.com
Thu May 3 17:08:56 EST 2001
Brian Sweeney wrote:
> Hey guys-
>
> Hope somebody's on right now. Here's the deal. Our webserver access_log
> (apache) was getting really large really quickly lately; today's been the
> worst. So I check out the log, and there are TONS of entries from machines
> outside of our domain to other machines outside our domain!
>
> I checked out the configuration file for apache, and the ProxyRequests On
> directive was set. I set that to ProxyRequests Off, but it still doesn't
> seem to be helping...it's gotten to where most of the entries are like the
> following:
>
>
> <MACHINE OUTSIDE MY DOMAIN - - [02/May/2001:22:58:40 -0700] "GET
> http://<SITE I'VE NEVER HEARD OF>/image5.jpg" 403 192
>
> What's going on? IS there some other proxying function in apache that I'm
> unaware of? Or is this evidence of a compromise? I'm trying to sweep for
> binary file changes now...
You have the proxying module enabled. So yes, there is a proxying
function in apache that you're unaware of. It's not compromised
(well, not NECESSARILY compromised!), it's just that you left
an exploitable function on. They're using your bandwidth to fetch
pages for them.
To fix it: go to httpd.conf, edit it and comment out any
reference to mod_proxy. The syntax varies from version to version,
here's ours:
# LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
Jenn V.
--
"Do you ever wonder if there's a whole section of geek culture
you miss out on by being a geek?" - Dancer.
jenn at simegen.com Jenn Vesperman http://www.simegen.com/~jenn/
More information about the Techtalk
mailing list