Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This keeps showing up in my log watch. What is the best way to stop this? I have all software uptodates, I run rkhunter, I block certain address ranges in httpd.conf
I don't know about the first, but the second part looks very much like a buffer overflow attack. Someone's trying (or tried) to break into your system. Whether or not they have actually succeeded, I don't know.
Based on Capt.Caveman's response in this thread , the first one may be a spammer looking for a proxy to relay mail. I'd have a look in your Apache logs and as long as these attempts show up with 405, the attempt has failed. The second one is definitely an IIS exploit that can't affect a linux box. Get used to those because there seem to be a TON of infected IIS boxes out there. I know I see them all the time.
Also, I did nmap on this server (from within the network) and port 25 is not open.
My PIX fire wall is routes all port 25 traffic to another server, how does this get to my web server anyway? Also, it keeps going on, every day the logs show this.
I'm guessing based on what I read here, so hopefully one of the real experts will chime in.......
Quote:
Also, it keeps going on, every day the logs show this.
Well, if this is a spammer, that isn't surprising. They are using your box to cover their tracks and will probably continue to do so until you stop them. You might want to read through this thread for a discussion on modifying Apache to not allow this.
My PIX fire wall is routes all port 25 traffic to another server, how does this get to my web server anyway?
It's a proxy attempt, so it's trying to use your webserver to pass requests to the host 'msa.hinet.net'. The initial request to your webserver is still on port 80, but it then gets your webserver to connect to port 25 of the remote host. Usually the proxy feature is disabled by default for this very reason (not many people need it and it is highly abusable). See the link Hangdog posted on turning mod_proxy off. You can also use mod_rewrite to drop requests that use the CONNECT method.
Some systems will return the default home page (index.html) to someone making invalid proxy requests. So a '200' status code is returned even though the proxy was unsuccessful. Though I don't believe that is the case here. If I remeber correctly, FC and Redhat should return a 405 for someone using the CONNECT method, unless the request is allowed for some reason. So do you have mod_proxy turned on for some reason? Might help if you posted your http.conf file.
If that's the case, then each connection attempt in the log should show the exact same number of bytes transfered (8059), otherwise the proxy attempts were successfull.
As long as ALL of the CONNECT attempts show 8059 bytes transfered and that is the size of your index.html. Please verify that all of those are correct, otherwise you may be relaying spam.
The Limit directive is a little picky. I actually use mod_rewrite:
RewriteEngine on
ReWriteCond %{REQUEST_METHOD} ^(TRACE|CONNECT)
ReWriteRule .* - [F]
Though it's redundant. You need to have the proxy container uncommented and specifically have ProxyRequests set to "On" AND you need to have the port open with the ProxyCONNECT directive. So it's not something you can easily turn on by mistake. I'm not aware of any distro that allow the CONNECT method by default.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.