[cobalt-security] Re: Raq3 Apache Open Proxy?

[eric <eric-raq@xxxxxxxxxx>]

please cc me on replies, as I'm on the digest.

>eric wrote:
>> I had my raq3 attacked buy a bunch of porn afficinados who 
>> have been using it as a open proxy.

>Hopefully simply trying to use it. See below:

No, succeding. Redlining a t1. Starting on a holiday weekend. Ending on my birthday. Grr.

>> In the logs, I see a couple of different things happening:
>> 
>> 1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0" 
>> 2: There are a million requests for content such as :"GET 
>> http://www.porn.com/members/members.shtml HTTP/1.0"

>You missed one vital point from your log lines: what is the return code?

200, 302, 400, 503, depending on the connection and if I had firewalled/changed the configuration. 

>> I've removed all proxying access by adding the following to 
>> the access.conf files for the main and admserv processes.

>Right on, that will disable the CONNECT method.

It disables connect, and turns off mod_proxy, which is compiled in. the actual proxying of webpages was the big bandwidth hit.

>This follows an interesting discussion on a SecurityFocus mailing list to
>which I subscribe, weher people with Apache version < 1.3.26 are seeing 
>this very frequently. I'd suggest you pop your server's IP address into 
>Google and see if it turns up anywhere - it could be on an open proxy list, 
>however mistakenly.

It's on 2 of them. So I guess I'm in for a load more of these requests for a while. I saw a ref to this from March of this year, with a big long list of vunerable configs (not including cobalt).

So.

Can someone with a default configuration Raq3 check to see if this happens with their system? 

I'd really like to know if this is a systemic problem that I've fixed with the config file changes, or if I have to completely rebuild my raq because there's a backdoor that chkrootkit can't find. 

eric