Date: Sun, 9 Apr 2006 12:31:53 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: web server attack (solution & warning) Message-ID: <MIEPLLIBMLEEABPDBIEGCEHDHEAA.fbsd_user@a1poweruser.com> In-Reply-To: <4435ADF5.4020102@vonostingroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I received this reply from another list. Going back to the very beginning of your first post - those web requests you listed as seeing are a bit troublesome. They all seem to be probes against your web server to verify if you can be used as an open proxy server. The first two requests are from SOCKS proxy checkers, the 3rd is an HTTP CONNECT check to see if your server will connect to an SMTP host (for use by SPAMMERS) and the last is a request to a normal website. The probes themselves are not what worries me, as these happen all the time. What worries me are the status codes returned by your web server - 200 OK. This normally means that your server processed these requests successfully. Are you using mod_security to return bogus HTTP Response Codes??? I sure hope so, otherwise you need to disable the mod_proxy module ASAP. I checked my Apache httpd.conf file. The FreeBSD port of the Apache13 activates a lot of standard dso modules and one of then is the proxy module. I had thought those dso modules had to have a directive coded for it before it became active. I see now that is not true. I commented out the load for the proxy module in my httpd.conf file. Since many people install the apache port for apache 13 and 2 all these people have servers that are open for abuse and do not know it. The proxy dso module should not be included in the apache port. Apache port user be ware. Make sure you don't have mod_proxy enabled in Apache....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEHDHEAA.fbsd_user>