LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-17-2010, 05:29 PM   #1
miragej
LQ Newbie
 
Registered: Nov 2008
Location: South Wales, UK
Distribution: Debian 6, Ubuntu 10.04
Posts: 25

Rep: Reputation: 0
Question Apache server being attacked, strange requests.


Hey guys,

I'm looking for a bit of advice to a problem I've encountered recently. I run a small home server (Debian 4), which acts as my gateway to the internet (ie, firewall) and runs a web server, dhcp, dns, and acts as a file server to the rest of the machines on my home network.

Now I know it's never a smart idea to have all those services running on the same machine that is acting as a firewall, but I don't fancy running multiple servers just for home use, as it's mainly allowing me to learn system administration.

Now, on to the problem.
I noticed a few days ago that my internet had become unbearably slow, to the point where I could sometimes not load web pages. I spent a while searching through log files on my gateway, to try and find out what was eating up all of my bandwidth. When I came to apache's access.log file, I was confronted with this:

Code:
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://vewice6.nightmail.ru/marriott-grand-cayma.html HTTP/1.1" 200 36921 "-" "Mozilla/4.0 (compatible; M$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://malaysiapodcaster.blogspot.com/2006/05/blog-post_11.html HTTP/1.1" 200 58681 "-" "Mozilla/4.0 (com$
204.45.41.82 - - [17/Oct/2010:06:25:03 +0100] "GET http://southbradenton.us/index.php?prim_bg=FxiCcMvpWWZVBGjY&prim_fg=FlFaSPuQDVWlBXozlr&sec_bg=jYXUTrBqnQm$
204.45.41.82 - - [17/Oct/2010:06:25:05 +0100] "GET http://victorville-ca.addresses.com/yellow-pages/name:Post+Offices/zip:92345/listings.html HTTP/1.1" 200 $
204.45.41.82 - - [17/Oct/2010:06:25:07 +0100] "GET http://www.healthysteps.co.nz/join-today/forgot-password.aspx HTTP/1.1" 200 12972 "-" "Mozilla/4.0 (compa$
89.178.24.45 - - [17/Oct/2010:06:25:13 +0100] "GET http://www.google.com.qa/search?hl=en&q=site%3Awebpc.pl&start=600&ie=utf8&oe=utf8&num=100&filter=1 HTTP/1$
204.45.41.82 - - [17/Oct/2010:06:25:06 +0100] "GET http://bitethebiscuit.blogspot.com/2008/05/betty-crocker-cooky-book.html?showComment=1212747900000 HTTP/1$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.oneview.de/add/?URL=http%3A%2F%2Fpreisvergleich.hardware-markt.com%2Farbeitsspeicher--c76RF-f1$
204.45.41.82 - - [17/Oct/2010:06:25:12 +0100] "GET http://www.oneview.de/add/?URL=http%3A%2F%2Felegant-shoppen.marktplatz-netzwerk.de%2Ffestplatten--c77b3-f$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.consultx2.com/comments/feed/ HTTP/1.1" 404 875 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows$
204.45.41.82 - - [17/Oct/2010:06:25:16 +0100] "GET http://www.123foodscience.com/submit_job/ HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windo$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://anton.teterine.com/blog/tag/dns HTTP/1.1" 200 31462 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window$
89.178.24.45 - - [17/Oct/2010:06:25:14 +0100] "GET http://www.google.lt/search?hl=en&q=site%3Aleftcoastnoise.info&start=0&ie=utf8&oe=utf8&num=100&filter=1 H$
204.45.41.82 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.speedywap.com/5998/kodak-announced-kodak-z980-digital-camera-with-24x-megazoom/ HTTP/1.1" 200 $
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://gulker.blogspot.com/2006/04/gulker-chris-gulkers-google-home-page.html HTTP/1.1" 200 45234 "-" "Mo$
204.45.66.34 - - [17/Oct/2010:06:25:15 +0100] "GET http://www.google.com.af/search?hl=en&q=%2Frelm.cgi%3Fmode%3D+-intext%22%2Frelm.cgi%3Fmode%3D%22+site%3Ad$
204.45.41.82 - - [17/Oct/2010:06:25:09 +0100] "GET http://thelonghairdiaries.blogspot.com/2008/07/benefit-your-hair-with-apple-cider.html?showComment=121832$
204.45.41.82 - - [17/Oct/2010:06:25:19 +0100] "GET http://www.oneview.de/add/login/;jsessionid=A1F2C32FF4DA9393210BAD13842D0D92?title=Arbeitsspeicher+1.02+G$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://howto4ever.com/cameras.php?gcscid=24809 HTTP/1.1" 200 34928 "-" "Mozilla/4.0 (compatible; MSIE 6.0$

Multiple requests to my server, for totally random websites. I didn't even know it was possible to make those types of queries to a webserver. The only thing that is on the web server is a browser based torrent client.

I have only shown a small snippet of the log file, but there are around 90k lines to different web addresses, from many different IPs.

What I want to know, is what is happening? :S Why is someone querying MY web server, for web sites totally unrelated to it?

And most of all, how can I stop it.
My initial idea was to try and use iptables to block multiple requests from the same ip within a certain time frame, which I think would work as the server shouldn't really get many queries from external networks.

Anyway, sorry for the long post, but I like to be thorough and try and provide you all with all the info you might need

Any help would be much appreciated,

Josh.
 
Old 10-17-2010, 06:50 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Are you running your web server with a proxy module enabled or are you running a proxy by any chance? Is your "browser based torrent client" only accessible from selected IP addresses or is it open to World? Are there any outgoing connections to TCP/80 right now? What does 'lsof -Pwlni|grep :80' return?
 
Old 10-17-2010, 07:00 PM   #3
miragej
LQ Newbie
 
Registered: Nov 2008
Location: South Wales, UK
Distribution: Debian 6, Ubuntu 10.04
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks for the reply.

The proxy module is present in /etc/apache2/mods-enabled/ but I'm fairly sure it's not being used, and no, there isn't another proxy running.

The torrent server is usually open to the world yes, but since this issue, I've blocked any connections to port 80 which are not from my network.
Currently, the output of lsof -Pwlni|grep :80

is:

Code:
apache2   30101        0    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30107       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30108       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30111       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30566       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30713       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30714       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30715       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30724       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30739       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
apache2   30746       33    3u  IPv6 1148417       TCP *:80 (LISTEN)
Not sure what the whole IPv6 is about, I'm not using IPv6 at all.

Thanks for the help.
 
Old 10-17-2010, 07:30 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by miragej View Post
The proxy module is present in /etc/apache2/mods-enabled/ but I'm fairly sure it's not being used
I don't think you should be "fairly sure": mod_proxy (or any mod_proxy_.*) is either required for use and enabled or it is not and then it should be disabled (and that goes for all modules) and your web server logs should show requests are denied.


Quote:
Originally Posted by miragej View Post
The torrent server is usually open to the world yes, but since this issue, I've blocked any connections to port 80 which are not from my network.
Better late than never I guess...
 
Old 10-17-2010, 07:39 PM   #5
miragej
LQ Newbie
 
Registered: Nov 2008
Location: South Wales, UK
Distribution: Debian 6, Ubuntu 10.04
Posts: 25

Original Poster
Rep: Reputation: 0
I appreciate the help, but there's no need to be condescending.

Firstly, when I say it was "open to the world", I meant it is possible to log in to the client externally. It is passworded, so it is not totally "open".

And secondly, I was hoping for some sort of explanation as to how/why these requests were being made, and how/why mod_proxy has anything to do with it.
 
Old 10-17-2010, 07:40 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Absolutely you're being used as a proxy. See the "200 (OK)" status codes?

As mentioned, disable loading of the mod_proxy* modules. After doing so, you may get some syntactical errors when Apache tries to start (which - if they're referring to proxy settings - can of course be commented out or removed).

Blocking the connections is fine, but there's no reason to leave the module enabled if it's not needed.

---

Quote:
Originally Posted by miragej
And secondly, I was hoping for some sort of explanation as to how/why these requests were being made, and how/why mod_proxy has anything to do with it.
Not exactly sure why, but if you scrutinize the requests, at least a couple appear to be someone trying to do something nasty.

mod_proxy has everything to do with it. It allows http proxying. They're using your host as a staging point for attacks, info gathering, etc.

Last edited by anomie; 10-17-2010 at 07:44 PM. Reason: added stuff after overlapping posts.
 
Old 10-17-2010, 07:49 PM   #7
miragej
LQ Newbie
 
Registered: Nov 2008
Location: South Wales, UK
Distribution: Debian 6, Ubuntu 10.04
Posts: 25

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anomie View Post
Absolutely you're being used as a proxy. See the "200 (OK)" status codes?

As mentioned, disable loading of the mod_proxy* modules. After doing so, you may get some syntactical errors when Apache tries to start (which - if they're referring to proxy settings - can of course be commented out or removed).

Blocking the connections is fine, but there's no reason to leave the module enabled if it's not needed.

---



Not exactly sure why, but if you scrutinize the requests, at least a couple appear to be someone trying to do something nasty.

mod_proxy has everything to do with it. It allows http proxying. They're using your host as a staging point for attacks, info gathering, etc.
Excellent, that's exactly what I wanted to know, thanks a lot.

I just realised why I had enabled mod_proxy. It was to allow me to access webmin (usually accessible by domain.com:10000) by a url (domain.com/webmin/). The guide I followed recommended to set Allow ALL in the proxy.conf, which clearly is not good advice.

Thanks again for the info, much appreciated.

ps, just to be sure, I use a2dismod to disable the modules right?
And how exactly could anyone find out that I had that module enabled?

Last edited by miragej; 10-17-2010 at 07:52 PM.
 
Old 10-17-2010, 07:59 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
My (debian|buntu)-fu no good, but you should be able to directly query the Apache web server binary to learn about which modules it has compiled in, and which it has dynamically loaded.

Example command / output on a Fedora 13 system:
Code:
# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
...
... where "static" is baked in, and "shared" is dynamically loaded (by you - either in the config file or on the command line at invocation time). My best suggestion would be to check your Apache manpages to see how to do the same thing on your system.

The following might provide clues about which pages to review:
Code:
$ apropos apache
or
Code:
$ apropos httpd

Last edited by anomie; 10-17-2010 at 08:02 PM.
 
Old 10-17-2010, 08:06 PM   #9
miragej
LQ Newbie
 
Registered: Nov 2008
Location: South Wales, UK
Distribution: Debian 6, Ubuntu 10.04
Posts: 25

Original Poster
Rep: Reputation: 0
With a bit more researching, it seems a2dismod does the trick, and everything is sorted now, thanks a lot.

Any idea how someone could find out that I had that module enabled and what method were they using to send their requests through my server?
 
Old 10-17-2010, 08:44 PM   #10
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,414
Blog Entries: 1

Rep: Reputation: 65
Quote:
Originally Posted by miragej View Post
Any idea how someone could find out that I had that module enabled and what method were they using to send their requests through my server?
Nothing fancy here. It is just by trial and error. They scan systematically several internet address until they find one it has a web server working as a proxy.

The requests are very similar to a direct request (GET) to a server, except that the host and port is included in the request. Something like this:
Code:
GET http://your-ip-address/index.html HTTP/1.0
Host: vewice6.nightmail.ru/marriott-grand-cayma.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange ARP behavior : A linux server responds to all ARP requests Hdvd21 Linux - Networking 4 10-24-2013 06:02 AM
strange dhclient requests from server sarajevo Linux - Security 7 10-15-2010 04:02 PM
Help me. My server is attacked DDoS ndduy Linux - Security 12 11-29-2009 03:47 PM
qmail server getting attacked lsimon4180 Linux - Software 41 10-15-2004 04:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration