[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Raq3 Apache Open Proxy?

Subject: RE: [cobalt-security] Raq3 Apache Open Proxy?
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
Date: Wed, 4 Sep 2002 08:09:23 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Howdy

eric wrote:
> I had my raq3 attacked buy a bunch of porn afficinados who 
> have been using it as a open proxy.

Hopefully simply trying to use it. See below:

> In the logs, I see a couple of different things happening:
> 
> 1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0" 
> 2: There are a million requests for content such as :"GET 
> http://www.porn.com/members/members.shtml HTTP/1.0"

You missed one vital point from your log lines: what is the return code? If you see requests like those followed by the pattern " 200 nnnnnn" where nnnnnn is a positive integer (the data size) then yes, they've managed to proxy-rape your system. If you see any 4xx or 5xx codes, they failed.

> I've removed all proxying access by adding the following to 
> the access.conf files for the main and admserv processes.

Right on, that will disable the CONNECT method.

Let us know what the return codes were.

This follows an interesting discussion on a SecurityFocus mailing list to which I subscribe, weher people with Apache version < 1.3.26 are seeing this very frequently. I'd suggest you pop your server's IP address into Google and see if it turns up anywhere - it could be on an open proxy list, however mistakenly.

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: [cobalt-security] Raq3 Apache Open Proxy?
Next by Date: [cobalt-security] Klez E Plague
Previous by thread: [cobalt-security] Raq3 Apache Open Proxy?
Next by thread: [cobalt-security] Klez E Plague

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index