LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-15-2004, 08:48 AM   #1
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Rep: Reputation: 0
Apache Logs - Showing unusual domains


I am a Linux newbie - so excuse me if this question seems simplistic although I believe it to be a problem.

I have been reviewing my Apache logs and for the last few weeks I have seen some unusual traffic in those logs. I am running Webalizer on those logs to produce usage graphs. In the section of Webalizer that shows "Top x of xx Total URLs" I see URLs that have nothing to do with my domain. In fact the Webablize default is to show the top 30 and my domain pages are no where to be seen. I see top domain is log icq com with 593,000 hits! The other domains listed are all foreign to me as well.

This server is just a test/development server that I test code on at my house. It is attached to the Internet via a cable modem and is (supposed to be at least) behind a firewall.

What can cause these log entries? Am I somehow on the Internet in a configuration that I shouldn't be? Please - any advise would be most appreciated.

thanks,
Michael
 
Old 04-15-2004, 02:40 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you post some of the entries as well as any pertainant info like: What distro/version are you using, Apache version, any modifications to the default Apache conf file, any content (images) on your site that someone would want to "borrow", etc?

--EDIT---
Make sure to remove/mask any identifiable IPs from the log files before posting

Last edited by Capt_Caveman; 04-15-2004 at 02:41 PM.
 
Old 04-15-2004, 03:24 PM   #3
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
I am running Redhat 9 - fully patched (as far as the red hat up2date utility is concerned.)
Apache version - httpd-2.0.40-21.9
link to webalizer

This shows some of the most used log entries via webalizer. As you can see these are not my domains.

As I mentioned earlier this is a test/development machine at home via a cable modem connection. The only content are some family photos.

I also see LOTS of traffice coming across my cable modem. I installed a free sniffer last night and plugged it behind my firewall, turned off all the other machines in the house and sniffed lots of packets. Mostly porn stuff.

Any ideas - is my firewall somehow messed up and letting everything through? or am I reaching with that explanation?

Last edited by mdavis; 04-15-2004 at 03:27 PM.
 
Old 04-20-2004, 01:32 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
On your box or router: log and drop all inbound access to the box except for "known good" addresses. Then review your setup to make sure your Apache doesn't proxy requests.
 
Old 04-21-2004, 09:24 AM   #5
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks - the problem was that Apache was setup to accept proxy requests. This was the default behavior because I didn't change it although from what I have read the default is supposed to be OFF not ON.

I changed it to off and that stops the server from acting as a proxy. The next problem is to stop traffic at the firewall level for anyone trying to use it as a proxy.

I want to allow port 80 through (my firewall is another box) if intended for my server but, per your suggestion, stop it at the firewall if someone is trying to use me as a proxy. I am unsure how to write the firewall rule to stop that though.

any help will be greatly appreciated,
Michael
 
Old 04-21-2004, 11:54 AM   #6
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
Quote:
Thanks - the problem was that Apache was setup to accept proxy requests. This was the default behavior because I didn't change it although from what I have read the default is supposed to be OFF not ON.
ok, how do you adjust that. im running same RH9 and default on the apache. if this is the case, then i want to disable this feture before i move the DNS records over to my server.
 
Old 04-21-2004, 05:35 PM   #7
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
This is what I did:
I changed the httpd.conf file.
(vi /etc/httpd/conf/httpd.conf)

I made sure the following lines looked like this;
ProxyRequests Off
ProxyBlock *

So my entire proxy section looks like this;
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyBlock *
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# </Directory>
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#</Proxy>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia Block

#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/etc/httpd/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a-domain.com another-domain.edu joes.garage-sale.com

</IfModule>
# End of proxy directives.


This seems to have worked for me.
 
Old 04-21-2004, 06:23 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Was it actually set to on before? or was it set to on but commented like this:

Code:
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#</Proxy>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On
The default Redhat httpd.conf should look like the above (at least for the standard Apache included with RHs 8+), with the default being that proxying is off. I'm saying this, because if you didn't modify it, then something abnormal is going on.
 
Old 04-21-2004, 07:43 PM   #9
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
Capt,
I guess anything is possible. I tracked through logs that the first time I was used as a proxy was in October 2003. It is possible I activated without knowing its purpose. I have bumbled around Linux for some time now and I haven't logged what I have done.

I think it safe to modify my root's password. I assume root is the only one that can modify that config file? Let me know if I am incorrect about that.

thanks for any comments / suggestions,
Michael
 
Old 04-21-2004, 08:38 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think it safe to modify my root's password. I assume root is the only one that can modify that config file? Let me know if I am incorrect about that.

Yes, root should be the only one that can modify it.

Just to be one the side of caution, I would go through and make sure that nothing else appears abnormal: take a look at the /etc/passwd file to see if you see any odd looking users or users besides root with a UID of 0, verify the RPMs (use rpm -Va), as well as look for any other anomalies. You might want to take a look at the cert intrusion detection checklist for guidelines. You don't need to be overly paranoid, just thorough if you are unsure of how the modification occurred.
 
Old 04-21-2004, 08:50 PM   #11
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
great, thanks for the info. ill check and verify im safe from proxy use when i get home tonight.
 
Old 04-21-2004, 09:43 PM   #12
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
Capt,
Thanks a bunch. I didn't know such a checklist existed. That was great to know it was out there. I'll start digging through my system to see if I can find any other anomalies.

I hope I did this to myself without knowing better.

thanks again,
Michael
 
Old 04-21-2004, 09:44 PM   #13
mdavis
LQ Newbie
 
Registered: Sep 2003
Distribution: Redhat 9 & Fedora Core 2
Posts: 15

Original Poster
Rep: Reputation: 0
Lleb_KCir ,
I would be very interested in knowing what you find when you check out your system.

Michael
 
Old 04-21-2004, 10:18 PM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by mdavis
Capt,
Thanks a bunch. I didn't know such a checklist existed. That was great to know it was out there. I'll start digging through my system to see if I can find any other anomalies.

I hope I did this to myself without knowing better.

thanks again,
Michael
Take a look at unSpawn's security references thread at the top of the security forum. There is an entire section of links there regarding intrusions.
 
Old 04-22-2004, 10:05 PM   #15
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
mine was not set to accept proxy, and all of the proxy info was remarked out with the #. so im set from that at least.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: hosting multiple domains fturcic Linux - Software 1 02-15-2005 05:39 PM
Apache VirtualHost, multiple domains and subdomains chrisfx Linux - Networking 2 08-10-2004 02:58 PM
apache logs showing strange "SEARCH /\x90\x02\xb1" lines TheOneAndOnlySM Linux - Software 1 06-28-2004 04:39 PM
2 domains point on the same apache dominant Linux - General 1 03-29-2004 02:04 AM
Apache logs - ???Linux logs??? mylo2003 Linux - General 3 08-07-2003 04:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration