[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Raq3 Apache Open Proxy?

Subject: [cobalt-security] Raq3 Apache Open Proxy?
From: eric <eric-raq@xxxxxxxxxx>
Date: Tue, 03 Sep 2002 16:23:02 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I had my raq3 attacked buy a bunch of porn afficinados who have been using it as a open proxy.

In the logs, I see a couple of different things happening:

1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0" 
2: There are a million requests for content such as :"GET http://www.porn.com/members/members.shtml HTTP/1.0"

There are no suspicious lines in the http config files. Chkrootkit0.36 reports clean. I can't find any .htaccess files. Mod_proxy is compiled into the server by default, but is not obviously enabled anywhere.

I've removed all proxying access by adding the following to the access.conf files for the main and admserv processes.

<Directory />
<Limit CONNECT>
        order deny,allow
        deny from all
</Limit>
..
</Directory>

ProxyRequests Off


This is the binary signature:

[root@douglas conf]# md5sum /usr/sbin/httpd 
02d22d43495bd1a465853844ccba092f  /usr/sbin/httpd
[root@douglas conf]# ls -l /usr/sbin/httpd
-rwxr-xr-x   1 root     root      1613740 Jun 24 13:44 /usr/sbin/httpd


My questions:  Is this perhaps a very bad set of default settings?  Or have I had a rootkit applied.  Should I be collecting all of the porn username/password/cookie sets I find? Any buyers for it all?  

eric

Prev by Date: [cobalt-security] (no subject)
Next by Date: RE: [cobalt-security] Raq3 Apache Open Proxy?
Previous by thread: Re: [cobalt-security] How to upgrade perl on a RAQ WAS: Problems with FormMail.pl
Next by thread: RE: [cobalt-security] Raq3 Apache Open Proxy?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index