LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache server being attacked, strange requests. (https://www.linuxquestions.org/questions/linux-server-73/apache-server-being-attacked-strange-requests-838679/)

miragej 10-17-2010 04:29 PM
Apache server being attacked, strange requests.
 
Hey guys,

I'm looking for a bit of advice to a problem I've encountered recently. I run a small home server (Debian 4), which acts as my gateway to the internet (ie, firewall) and runs a web server, dhcp, dns, and acts as a file server to the rest of the machines on my home network.

Now I know it's never a smart idea to have all those services running on the same machine that is acting as a firewall, but I don't fancy running multiple servers just for home use, as it's mainly allowing me to learn system administration.

Now, on to the problem.
I noticed a few days ago that my internet had become unbearably slow, to the point where I could sometimes not load web pages. I spent a while searching through log files on my gateway, to try and find out what was eating up all of my bandwidth. When I came to apache's access.log file, I was confronted with this:

Code:
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://vewice6.nightmail.ru/marriott-grand-cayma.html HTTP/1.1" 200 36921 "-" "Mozilla/4.0 (compatible; M$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://malaysiapodcaster.blogspot.com/2006/05/blog-post_11.html HTTP/1.1" 200 58681 "-" "Mozilla/4.0 (com$
204.45.41.82 - - [17/Oct/2010:06:25:03 +0100] "GET http://southbradenton.us/index.php?prim_bg=FxiCcMvpWWZVBGjY&prim_fg=FlFaSPuQDVWlBXozlr&sec_bg=jYXUTrBqnQm$
204.45.41.82 - - [17/Oct/2010:06:25:05 +0100] "GET http://victorville-ca.addresses.com/yellow-pages/name:Post+Offices/zip:92345/listings.html HTTP/1.1" 200 $
204.45.41.82 - - [17/Oct/2010:06:25:07 +0100] "GET http://www.healthysteps.co.nz/join-today/forgot-password.aspx HTTP/1.1" 200 12972 "-" "Mozilla/4.0 (compa$
89.178.24.45 - - [17/Oct/2010:06:25:13 +0100] "GET http://www.google.com.qa/search?hl=en&q=site%3Awebpc.pl&start=600&ie=utf8&oe=utf8&num=100&filter=1 HTTP/1$
204.45.41.82 - - [17/Oct/2010:06:25:06 +0100] "GET http://bitethebiscuit.blogspot.com/2008/05/betty-crocker-cooky-book.html?showComment=1212747900000 HTTP/1$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.oneview.de/add/?URL=http%3A%2F%2Fpreisvergleich.hardware-markt.com%2Farbeitsspeicher--c76RF-f1$
204.45.41.82 - - [17/Oct/2010:06:25:12 +0100] "GET http://www.oneview.de/add/?URL=http%3A%2F%2Felegant-shoppen.marktplatz-netzwerk.de%2Ffestplatten--c77b3-f$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.consultx2.com/comments/feed/ HTTP/1.1" 404 875 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows$
204.45.41.82 - - [17/Oct/2010:06:25:16 +0100] "GET http://www.123foodscience.com/submit_job/ HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windo$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://anton.teterine.com/blog/tag/dns HTTP/1.1" 200 31462 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window$
89.178.24.45 - - [17/Oct/2010:06:25:14 +0100] "GET http://www.google.lt/search?hl=en&q=site%3Aleftcoastnoise.info&start=0&ie=utf8&oe=utf8&num=100&filter=1 H$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.speedywap.com/5998/kodak-announced-kodak-z980-digital-camera-with-24x-megazoom/ HTTP/1.1" 200 $
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://gulker.blogspot.com/2006/04/gulker-chris-gulkers-google-home-page.html HTTP/1.1" 200 45234 "-" "Mo$
204.45.66.34 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.google.com.af/search?hl=en&q=%2Frelm.cgi%3Fmode%3D+-intext%22%2Frelm.cgi%3Fmode%3D%22+site%3Ad$
204.45.41.82 - - [17/Oct/2010:06:25:09 +0100] "GET http://thelonghairdiaries.blogspot.com/2008/07/benefit-your-hair-with-apple-cider.html?showComment=121832$
204.45.41.82 - - [17/Oct/2010:06:25:19 +0100] "GET http://www.oneview.de/add/login/;jsessionid=A1F2C32FF4DA9393210BAD13842D0D92?title=Arbeitsspeicher+1.02+G$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://howto4ever.com/cameras.php?gcscid=24809 HTTP/1.1" 200 34928 "-" "Mozilla/4.0 (compatible; MSIE 6.0$

Multiple requests to my server, for totally random websites. I didn't even know it was possible to make those types of queries to a webserver. The only thing that is on the web server is a browser based torrent client.

I have only shown a small snippet of the log file, but there are around 90k lines to different web addresses, from many different IPs.

What I want to know, is what is happening? :S Why is someone querying MY web server, for web sites totally unrelated to it?

And most of all, how can I stop it.
My initial idea was to try and use iptables to block multiple requests from the same ip within a certain time frame, which I think would work as the server shouldn't really get many queries from external networks.

Anyway, sorry for the long post, but I like to be thorough and try and provide you all with all the info you might need ;)

Any help would be much appreciated,

Josh.

unSpawn 10-17-2010 05:50 PM
Are you running your web server with a proxy module enabled or are you running a proxy by any chance? Is your "browser based torrent client" only accessible from selected IP addresses or is it open to World? Are there any outgoing connections to TCP/80 right now? What does 'lsof -Pwlni|grep :80' return?

miragej 10-17-2010 06:00 PM
Thanks for the reply.

The proxy module is present in /etc/apache2/mods-enabled/ but I'm fairly sure it's not being used, and no, there isn't another proxy running.

The torrent server is usually open to the world yes, but since this issue, I've blocked any connections to port 80 which are not from my network.
Currently, the output of lsof -Pwlni|grep :80

is:

Code:
apache2  30101        0    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30107      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30108      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30111      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30566      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30713      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30714      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30715      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30724      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30739      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
apache2  30746      33    3u  IPv6 1148417      TCP *:80 (LISTEN)
Not sure what the whole IPv6 is about, I'm not using IPv6 at all.

Thanks for the help.

unSpawn 10-17-2010 06:30 PM
Quote:
Originally Posted by miragej (Post 4130653)
The proxy module is present in /etc/apache2/mods-enabled/ but I'm fairly sure it's not being used
I don't think you should be "fairly sure": mod_proxy (or any mod_proxy_.*) is either required for use and enabled or it is not and then it should be disabled (and that goes for all modules) and your web server logs should show requests are denied.


Quote:
Originally Posted by miragej (Post 4130653)
The torrent server is usually open to the world yes, but since this issue, I've blocked any connections to port 80 which are not from my network.
Better late than never I guess...

miragej 10-17-2010 06:39 PM
I appreciate the help, but there's no need to be condescending.

Firstly, when I say it was "open to the world", I meant it is possible to log in to the client externally. It is passworded, so it is not totally "open".

And secondly, I was hoping for some sort of explanation as to how/why these requests were being made, and how/why mod_proxy has anything to do with it.

anomie 10-17-2010 06:40 PM
Absolutely you're being used as a proxy. See the "200 (OK)" status codes?

As mentioned, disable loading of the mod_proxy* modules. After doing so, you may get some syntactical errors when Apache tries to start (which - if they're referring to proxy settings - can of course be commented out or removed).

Blocking the connections is fine, but there's no reason to leave the module enabled if it's not needed.

---

Quote:
Originally Posted by miragej
And secondly, I was hoping for some sort of explanation as to how/why these requests were being made, and how/why mod_proxy has anything to do with it.
Not exactly sure why, but if you scrutinize the requests, at least a couple appear to be someone trying to do something nasty.

mod_proxy has everything to do with it. :) It allows http proxying. They're using your host as a staging point for attacks, info gathering, etc.

miragej 10-17-2010 06:49 PM
Quote:
Originally Posted by anomie (Post 4130681)
Absolutely you're being used as a proxy. See the "200 (OK)" status codes?

As mentioned, disable loading of the mod_proxy* modules. After doing so, you may get some syntactical errors when Apache tries to start (which - if they're referring to proxy settings - can of course be commented out or removed).

Blocking the connections is fine, but there's no reason to leave the module enabled if it's not needed.

---



Not exactly sure why, but if you scrutinize the requests, at least a couple appear to be someone trying to do something nasty.

mod_proxy has everything to do with it. :) It allows http proxying. They're using your host as a staging point for attacks, info gathering, etc.
Excellent, that's exactly what I wanted to know, thanks a lot.

I just realised why I had enabled mod_proxy. It was to allow me to access webmin (usually accessible by domain.com:10000) by a url (domain.com/webmin/). The guide I followed recommended to set Allow ALL in the proxy.conf, which clearly is not good advice.

Thanks again for the info, much appreciated.

ps, just to be sure, I use a2dismod to disable the modules right?
And how exactly could anyone find out that I had that module enabled?

anomie 10-17-2010 06:59 PM
My (debian|buntu)-fu no good, but you should be able to directly query the Apache web server binary to learn about which modules it has compiled in, and which it has dynamically loaded.

Example command / output on a Fedora 13 system:
Code:
# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
...
... where "static" is baked in, and "shared" is dynamically loaded (by you - either in the config file or on the command line at invocation time). My best suggestion would be to check your Apache manpages to see how to do the same thing on your system.

The following might provide clues about which pages to review:
Code:
$ apropos apache
or
Code:
$ apropos httpd

miragej 10-17-2010 07:06 PM
With a bit more researching, it seems a2dismod does the trick, and everything is sorted now, thanks a lot.

Any idea how someone could find out that I had that module enabled and what method were they using to send their requests through my server?

marozsas 10-17-2010 07:44 PM
Quote:
Originally Posted by miragej (Post 4130701)
Any idea how someone could find out that I had that module enabled and what method were they using to send their requests through my server?
Nothing fancy here. It is just by trial and error. They scan systematically several internet address until they find one it has a web server working as a proxy.

The requests are very similar to a direct request (GET) to a server, except that the host and port is included in the request. Something like this:
Code:
GET http://your-ip-address/index.html HTTP/1.0
Host: vewice6.nightmail.ru/marriott-grand-cayma.html


All times are GMT -5. The time now is 11:10 PM.