If you are worried about the possibility of a system compromise here are a few things you could try 1. Check for the presence of any unusual files on your server. A lot of cracks aimed at webservers have the goal of hosting files from the cracked server (usually porn and warez). It might be a good idea to try using a live cd for this because some rootkits can hide the presence of the files from system tools such as the ls command. 2. Use a tool like wireshark to monitor the incoming and outgoing traffic to the server and look for anything unusual (see https://wiki.archlinux.org/index.php/Wireshark) 3.Check the contents of your /etc/passwd file and look for any unusual user accounts (I also recommend a live CD for this). 4. Use the ps command to check the running processes, and look for any ususual processes. A lot of cracks modify the ps . A cracked ps often has a much smaller filesize than a regular ps. 5. Look at the output of the history command to view the past commands used on the server. If it does not return any output or returns commands that you did not enter then this could indicate a problem. 6. Run some rootkit detection programs like chkrootkit or rkhunter (these return a LOT of false positives). 7. Has anything else been acting up with the server? A lot of cracks break other things. ---Theo

Date: Sat, 29 Mar 2014 22:45:35 -0400 From: imntreal@gmail.com To: arch-general@archlinux.org Subject: Re: [arch-general] My Apache Sever Compromised?

On Sat, Mar 29, 2014 at 10:41 PM, Nowaker wrote:

...

...

I'm seeing some very strange behavior from my Apache web server, and I'm afraid it may have been compromised. Every time I start it, my router is saturated with the maximum number of connections it can handle, and my access_log starts filling with lines like:

Start whatever HTTP server in place of Apache, and see if you still get these requests by analyzing their access.logs. Then you will know if you really get these requests or they are fake.

Thanks for the idea. I had just been approaching it from the idea of trying to figure out what was going on with Apache. I installed, and started Nginx, and sure enough, it started getting blown up with those requests. Now, I guess I have to figure out why on earth those requests would be coming to my humble home web server.

On Mon, Mar 31, 2014 at 6:36 AM, Simon Brand wrote:

You can also use

Thanks for all the suggestions, guys. I'll probably do some further checking just to make sure nothing else is going on, but once I created a rewrite rule to drop those connections instead of sending them 404s, they went away. I suspect it's some type of ad click fraud.

...

199.83.93.35 - - [29/Mar/2014:22:04:54 -0400] "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151

But the most interesting part is that your apache is replying with "200", that is OK!

Nice catch! It's certainly a proxy.

See? The request asks for all the URL, http:// and host name included, just as if you were a proxy. The normal GET request for a web server asks only for the file part ("/pixel.png" in this case).

It's because of HTTP/1.0 protocol. Should the client use HTTP/1.1, it would look more usual. -- Kind regards, Damian Nowak StratusHost www.AtlasHost.eu

Am 09.04.2014 19:32, schrieb Jameson:

On Tue, Apr 1, 2014 at 9:30 AM, Nowaker wrote:

...

...

...

199.83.93.35 - - [29/Mar/2014:22:04:54 -0400] "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151

...

But the most interesting part is that your apache is replying with "200", that is OK!

Nice catch! It's certainly a proxy. Thanks for everyone's help with this. I did in fact have ProxyRequests set to On thinking it was needed for reverse proxies as well, and have turned it off. Now, when I open up port 80, it looks like they're still trying, but I'm replying with 404. Is that what it should be doing? I probably also need to make sure I have some throttling setup in case this is too much for my Internet connection. If you know the IP addresses (or address-ranges) you use to connect to your server, I suggest you block everything else for the time being with an iptables rule.

On 2014-04-09 19:32, Jameson wrote:

On Tue, Apr 1, 2014 at 9:30 AM, Nowaker wrote:

...

...

...

199.83.93.35 - - [29/Mar/2014:22:04:54 -0400] "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151

...

But the most interesting part is that your apache is replying with "200", that is OK!

Nice catch! It's certainly a proxy.

Thanks for everyone's help with this. I did in fact have ProxyRequests set to On thinking it was needed for reverse proxies as well, and have turned it off. Now, when I open up port 80, it looks like they're still trying, but I'm replying with 404. Is that what it should be doing? I probably also need to make sure I have some throttling setup in case this is too much for my Internet connection.

One approach I've seen mentioned and which seemed fun, but -- I hasten to add -- have never personally tried is to start returning shock site images for all such requests (obviously not for all 404s, just attempts at abusing you as a proxy). Regards,