| SitePoint Sponsor |
Apache http server used as a proxy (hacked)
Hi!
I'm new to apache http server configuration, a week ago I installed my first one! But yesterday, my connection was overloaded and I figured out that my http server was used as a proxy by hackers. The access.log file is filled up by thousand access to exterior sites and it was groing up seconds by seconds. There is a short access.log example in attachement.
I gess it's a matter of configuarion. Can anybody help ?
Thanks in advance !
(Excuse my poor english)
I haven't looked at the access log yet, but do you have mod_proxy loaded in your httpd.conf?
All proxy modules lines are commented ...Originally Posted by Paul_C
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
It looks like you have some proxy configuration in httpd.conf. Before fixing that you can sniff the traffic and grab some usernames and passwords that the proxy thieves are using. Take this part of the log for example:
"GET http://members.publicamateurs.com/ HTTP/1.0"
If you were sniffing the traffic and saving it somewhere you could snag his porn passwordYou must realize that while you think you're the victim, you are really in control since it's your server. You can trace back their IPs and report the activity to their ISP, you can monitor their traffic and you can cut them off anytime.
This might be an interesting time to try a port scanner on some of these people.
Posting Permissions
Bookmarks