[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Raq3 Apache Open Proxy?
- Subject: [cobalt-security] Re: Raq3 Apache Open Proxy?
- From: eric <eric-raq@xxxxxxxxxx>
- Date: Wed, 04 Sep 2002 09:18:39 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
please cc me on replies, as I'm on the digest.
>eric wrote:
>> I had my raq3 attacked buy a bunch of porn afficinados who
>> have been using it as a open proxy.
>Hopefully simply trying to use it. See below:
No, succeding. Redlining a t1. Starting on a holiday weekend. Ending on my birthday. Grr.
>> In the logs, I see a couple of different things happening:
>>
>> 1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0"
>> 2: There are a million requests for content such as :"GET
>> http://www.porn.com/members/members.shtml HTTP/1.0"
>You missed one vital point from your log lines: what is the return code?
200, 302, 400, 503, depending on the connection and if I had firewalled/changed the configuration.
>> I've removed all proxying access by adding the following to
>> the access.conf files for the main and admserv processes.
>Right on, that will disable the CONNECT method.
It disables connect, and turns off mod_proxy, which is compiled in. the actual proxying of webpages was the big bandwidth hit.
>This follows an interesting discussion on a SecurityFocus mailing list to
>which I subscribe, weher people with Apache version < 1.3.26 are seeing
>this very frequently. I'd suggest you pop your server's IP address into
>Google and see if it turns up anywhere - it could be on an open proxy list,
>however mistakenly.
It's on 2 of them. So I guess I'm in for a load more of these requests for a while. I saw a ref to this from March of this year, with a big long list of vunerable configs (not including cobalt).
So.
Can someone with a default configuration Raq3 check to see if this happens with their system?
I'd really like to know if this is a systemic problem that I've fixed with the config file changes, or if I have to completely rebuild my raq because there's a backdoor that chkrootkit can't find.
eric