On Sun, Mar 30, 2014 at 4:37 AM, Jameson <imntreal@gmail.com> wrote:
I'm seeing some very strange behavior from my Apache web server, and I'm afraid it may have been compromised. Every time I start it, my router is saturated with the maximum number of connections it can handle, and my access_log starts filling with lines like:
Do you know what looks interesting from you log? Take for example this line
199.83.93.35 - - [29/Mar/2014:22:04:54 -0400] "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151
See? The request asks for all the URL, http:// and host name included, just as if you were a proxy. The normal GET request for a web server asks only for the file part ("/pixel.png" in this case). But the most interesting part is that your apache is replying with "200", that is OK! And the 151 is the real size of this file, I just checked with "curl http://ro2.biz/pixel.png | wc -c". I would expect your server to reply with an error to such a request, not to reply with the real file. So my guess is that you have your apache configured as an unrestricted proxy, somebody discovered it, and is abusing it. Hope this helps. -- Rodrigo