1

I have a slice with a hosting provider that has a basic lamp stack setup. I was checking my apache logs today and I'm getting total random (it seems) request to my apache server. For instance, here are two entries:

174.129.95.125 - - [20/Jul/2011:07:28:27 +0000] "GET http://www.czhlk.com/sony/cheng2/error.asp HTTP/1.1" 200 11322 "http://www.baidu.com" "Mozilla/4.0"
117.41.235.133 - - [20/Jul/2011:07:28:29 +0000] "GET http://113.105.144.166:8083/Payrank.php HTTP/1.1" 200 11315 "http://113.105.144.166:8083/Payrank.php" "Mozilla/4.0"

Right now I only have some test php scripts up so I wasn't expecting a lot of traffic but I'm getting several requests a second with entries similar to the one's just posted. The strange thing is that if you look at the url requested in the access log, they are not referencing resources on my machine. I've installed chkrootkit and couldn't find anything. I've also checked the password file and other areas to see if somebody might have hacked me. So far I haven't found anything but I'm not a system admin or anything, just a software developer. Also, all of the http codes in the log are '200' which is strange to me. So how is it that my apache is returning 200 for http requests that aren't requesting anything on my server? I would expect something like this:

98.248.117.137 - - [20/Jul/2011:07:35:03 +0000] "GET /index.php" ....

Not a fully qualified url for completely different sites. What am I missing, sorry if it's a stupid question.

Here is the contents of my mods-available/proxy.conf file, I don't see anything wrong with it so far:

#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.

    ProxyRequests Off

    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
            Deny from all
            #Allow from .example.com
    </Proxy>

    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block

    ProxyVia On

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
Andreas Sandberg
  • 13
  • 4
  • Have you tried what your Apache returns if you try something like `telnet yourhost 80` and then send it `GET http://someurl/ HTTP/1.1`? – Janne Pikkarainen Jul 20 '11 at 07:40
  • Hi, thank you it looks like I can issue the request but my server returns the contents of what is in my 'index.php' file. So I suppose people are trying to use me as an anonymous proxy? Updating my original question with the contents of mods-available/proxy.conf. thanks for your help so far! – Andreas Sandberg Jul 20 '11 at 07:45

2 Answers2

6

I'd say that the IP address your hosting provider gave you was previously used as a C&C or distribution node for a botnet, and some malware hasn't got the message that you're no longer carrying that stuff. Unfortunately, there's not a lot you can do about it, other than bugging your provider and saying you want new IPs because this one's tainted. You definitely don't want to keep an IP that's got a history of naughtiness -- chances are it's in all sorts of blacklists (SMTP and otherwise) which will have an adverse effect on your ability to use the server, and those requests are chewing up your traffic allowance (which is costing you money).

The reason why you're getting 200s for all requests is probably because you've got an apache config directive that's rewriting all requests to your index.php. That's why you get the contents of it when you hit the URLs being requested.

womble
  • 96,255
  • 29
  • 175
  • 230
  • Hi Womble, thanks for your help, yes I can verify that my apache is re-writting the requests to my index.php which is why I'm seeing the 200's. I'll check with my hosting provider (slicehost) and see what they say. – Andreas Sandberg Jul 20 '11 at 07:49
-3

You have efectively an open proxy. Report it to your hosting provider and search for a better one.

Ochoto
  • 1,166
  • 7
  • 12
  • What's the basis on which you reached that conclusion? – womble Jul 20 '11 at 07:47
  • the config clearly shows proxying is disabled.... so it cant be open – anthonysomerset Jul 20 '11 at 08:25
  • How can you be sure that the config file you refer is the one being used ? On the other side the accesslog is registering the requests and response codes to them. Try what Janne sugested to certify without any doubt. – Ochoto Jul 21 '11 at 09:52