[techtalk] HELP! Webserver compromised?!?
James Sutherland
jas88 at cam.ac.uk
Thu May 3 07:59:03 EST 2001
On Wed, 2 May 2001, Brian Sweeney wrote:
> I checked out the configuration file for apache, and the ProxyRequests On
> directive was set. I set that to ProxyRequests Off, but it still doesn't
> seem to be helping...it's gotten to where most of the entries are like the
> following:
>
> <MACHINE OUTSIDE MY DOMAIN - - [02/May/2001:22:58:40 -0700] "GET
> http://<SITE I'VE NEVER HEARD OF>/image5.jpg" 403 192
>
> What's going on?
An external machine is *trying* to use your webserver as a proxy, then
getting a 403 error (the penultimate item in the log line) because you've
now disabled proxying.
> IS there some other proxying function in apache that I'm unaware of?
No - you are NOT proxying any more.
> Or is this evidence of a compromise? I'm trying to sweep for binary
> file changes now...
No compromise: someone found you're running an open proxy, and started
using it. Now you've closed the proxy, it'll take a while for people to
realise and stop trying to use it. It's no big deal: all they can get from
you now are a load of error messages, and they'll give up soon.
--
Old programmers never die. They just branch to a new address.
-- BSD fortune file
More information about the Techtalk
mailing list