[techtalk] HELP! Webserver compromised?!?
Brian Sweeney
bsweeney at physics.ucsb.edu
Thu May 3 00:07:10 EST 2001
Yeah, I just this second realized that the lines in the log file had now
changed from 304 to 403's. Thanks SO MUCH James for responding so fast. So
glad someone was around to hear my plea =).
Once again, linuxchix makes so I get to sleep at night...
Cheers,
Brian
> -----Original Message-----
> From: James Sutherland [mailto:jas88 at hermes.cam.ac.uk]On Behalf Of James
> Sutherland
> Sent: Wednesday, May 02, 2001 11:59 PM
> To: Brian Sweeney
> Cc: techtalk at linuxchix.org
> Subject: Re: [techtalk] HELP! Webserver compromised?!?
>
>
> On Wed, 2 May 2001, Brian Sweeney wrote:
>
> > I checked out the configuration file for apache, and the
> ProxyRequests On
> > directive was set. I set that to ProxyRequests Off, but it
> still doesn't
> > seem to be helping...it's gotten to where most of the entries
> are like the
> > following:
> >
> > <MACHINE OUTSIDE MY DOMAIN - - [02/May/2001:22:58:40 -0700] "GET
> > http://<SITE I'VE NEVER HEARD OF>/image5.jpg" 403 192
> >
> > What's going on?
>
> An external machine is *trying* to use your webserver as a proxy, then
> getting a 403 error (the penultimate item in the log line) because you've
> now disabled proxying.
>
> > IS there some other proxying function in apache that I'm unaware of?
>
> No - you are NOT proxying any more.
>
> > Or is this evidence of a compromise? I'm trying to sweep for binary
> > file changes now...
>
> No compromise: someone found you're running an open proxy, and started
> using it. Now you've closed the proxy, it'll take a while for people to
> realise and stop trying to use it. It's no big deal: all they can get from
> you now are a load of error messages, and they'll give up soon.
>
> --
> Old programmers never die. They just branch to a new address.
> -- BSD fortune file
>
More information about the Techtalk
mailing list