[arch-general] My Apache Sever Compromised?

Rodrigo Rivas rodrigorivascosta at gmail.com
Tue Apr 1 04:45:24 EDT 2014


On Sun, Mar 30, 2014 at 4:37 AM, Jameson <imntreal at gmail.com> wrote:
> I'm seeing some very strange behavior from my Apache web server, and
> I'm afraid it may have been compromised. Every time I start it, my
> router is saturated with the maximum number of connections it can
> handle, and my access_log starts filling with lines like:

Do you know what looks interesting from you log? Take for example this line

> 199.83.93.35 - - [29/Mar/2014:22:04:54 -0400]
> "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151

See? The request asks for all the URL, http:// and host name included,
just as if you were a proxy. The normal GET request for a web server
asks only for the file part ("/pixel.png" in this case). But the most
interesting part is that your apache is replying with "200", that is
OK! And the 151 is the real size of this file, I just checked with
"curl http://ro2.biz/pixel.png | wc -c". I would expect your server to
reply with an error to such a request, not to reply with the real
file.

So my guess is that you have your apache configured as an unrestricted
proxy, somebody discovered it, and is abusing it.

Hope this helps.
-- 
Rodrigo


More information about the arch-general mailing list