[techtalk] HELP! Webserver compromised?!?
Brian Sweeney
bsweeney at physics.ucsb.edu
Wed May 2 23:21:41 EST 2001
Hey guys-
Hope somebody's on right now. Here's the deal. Our webserver access_log
(apache) was getting really large really quickly lately; today's been the
worst. So I check out the log, and there are TONS of entries from machines
outside of our domain to other machines outside our domain!
I checked out the configuration file for apache, and the ProxyRequests On
directive was set. I set that to ProxyRequests Off, but it still doesn't
seem to be helping...it's gotten to where most of the entries are like the
following:
<MACHINE OUTSIDE MY DOMAIN - - [02/May/2001:22:58:40 -0700] "GET
http://<SITE I'VE NEVER HEARD OF>/image5.jpg" 403 192
What's going on? IS there some other proxying function in apache that I'm
unaware of? Or is this evidence of a compromise? I'm trying to sweep for
binary file changes now...
Thanks in advance,
Brian
More information about the Techtalk
mailing list