[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Raq3 Apache Open Proxy?
- Subject: [cobalt-security] Raq3 Apache Open Proxy?
- From: eric <eric-raq@xxxxxxxxxx>
- Date: Tue, 03 Sep 2002 16:23:02 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I had my raq3 attacked buy a bunch of porn afficinados who have been using it as a open proxy.
In the logs, I see a couple of different things happening:
1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0"
2: There are a million requests for content such as :"GET http://www.porn.com/members/members.shtml HTTP/1.0"
There are no suspicious lines in the http config files. Chkrootkit0.36 reports clean. I can't find any .htaccess files. Mod_proxy is compiled into the server by default, but is not obviously enabled anywhere.
I've removed all proxying access by adding the following to the access.conf files for the main and admserv processes.
<Directory />
<Limit CONNECT>
order deny,allow
deny from all
</Limit>
..
</Directory>
ProxyRequests Off
This is the binary signature:
[root@douglas conf]# md5sum /usr/sbin/httpd
02d22d43495bd1a465853844ccba092f /usr/sbin/httpd
[root@douglas conf]# ls -l /usr/sbin/httpd
-rwxr-xr-x 1 root root 1613740 Jun 24 13:44 /usr/sbin/httpd
My questions: Is this perhaps a very bad set of default settings? Or have I had a rootkit applied. Should I be collecting all of the porn username/password/cookie sets I find? Any buyers for it all?
eric