apache2 virtual host attack

Question

I have a apache2 virtual host configured but I suffer a attack with thousands or request like "POST http://check2.zennolab.com/proxy.php HTTP/1.1" 200 115 "GET http://hartford.craigslist.org/fuo/3293382678.html HTTP/1.1" 200 2223

anybody knows what kind of attack is this? how I do to prevent?

EDIT:

Warning

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

of course it had enabled

sounds like abuse of an open proxy. why do you have that proxy.php sitting there publicly accessible, does it need to be like that? — user16081-JoeT, Nov 07 '12 at 21:01
Same IP address or different ones? If it's the same, or a small number of IPs, iptables FTW. — HopelessN00b, Nov 07 '12 at 21:43

Karma Fusebox · Answer 1 · 2012-11-07T22:15:29.423

1

This looks like an attack by some malicious user (or infected PC or botnet or whatever) that is now trying to find out if your machine has public available proxy features. If you had a real open proxy running there, the attacker could successfully hide behind your IP address. Don't worry though, those scans are fully automated and not against your host only and finally they will move on.

I suggest you wait for the scan to end if it doesn't affect your own service or just firewall out the requesting IP address/net.

// edited: I misunderstood the proxy.php part as if you would be hosting a page namend proxy.php yourself. See the comments.

edited Nov 07 '12 at 22:15

answered Nov 07 '12 at 21:18

Karma Fusebox

1,114
9
18

1

The HTTP request pasted by the OP includes a full URL, so I'm not entirely sure that he really has such a proxy.php file on his own server – in fact, he probably doesn't. I'm not sure how exactly Apache is handling that request. – pino42 Nov 07 '12 at 21:41
@pino42 - You are right, my bad. Anyhow, this is definitely some kind of automated proxy scanning. I don't know exactly how apache handles this either but I would bet that the intent is to find out about forwarding capabilities of the posters host. So the advice of firewalling out whoever sends these requests keeps the same. – Karma Fusebox Nov 07 '12 at 21:52

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

It would be interesting to understand what Apache is doing in those cases – is it really acting as a proxy? If it is, you should disable that. You can find a similar case discussed in this question.

edited Apr 13 '17 at 12:14

Community

1

answered Nov 07 '12 at 21:08

pino42

915
5
11

apache2 virtual host attack

2 Answers2