I use Centos 4.2 with all service pack installed. I verified traffic on link WEB and I see port TCP 80 with many traffic.
I accessed lod /var/log/httpd/access_log and show below.
ca.com/members/index.php HTTP/1.0" 401 - "http://members.sapphicerotica.com/members/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )" 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9794 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 80.144.212.33 - - [30/Jan/2006:15:08:09 -0200] "GET http://www.995members.com/members/ HTTP/1.0" 401 472 "http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows NT5.1; DigiExt )" 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:12 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:13 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:14 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:16 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:17 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:18 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 82.39.175.52 - - [30/Jan/2006:15:08:35 -0200] "GET http://l1.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=... HTTP/1.0" 502 961 "-" "-" 80.144.212.33 - - [30/Jan/2006:15:08:43 -0200] "GET http://www.995members.com/members/ HTTP/1.0" 401 472 "http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows NT5.1; DigiExt )" 12.206.3.132 - - [30/Jan/2006:15:08:46 -0200] "GET http://us.a1.yimg.com/login.bjs.yahoo.com/config/login?login=big_g_&pass... HTTP/1.0" 200 4440 "http://www.yahoo.com/" "-" 84.109.4.111 - - [30/Jan/2006:15:08:51 -0200] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
I guess that hacker is using my SERVR APACHE to PROXY.
Please, I need help urgent.
I stoped service HTTPD because it.
Thanks
Adriano
Am Mo, den 30.01.2006 schrieb Adriano Frare um 19:17:
I use Centos 4.2 with all service pack installed. I verified traffic on link WEB and I see port TCP 80 with many traffic.
I accessed lod /var/log/httpd/access_log and show below.
ca.com/members/index.php HTTP/1.0" 401 - "http://members.sapphicerotica.com/members/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )" 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9794 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 80.144.212.33 - - [30/Jan/2006:15:08:09 -0200] "GET http://www.995members.com/members/ HTTP/1.0" 401 472 "http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows NT5.1; DigiExt )" 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:12 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:13 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:14 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9786 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:16 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:17 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 68.119.110.138 - - [30/Jan/2006:15:08:18 -0200] "GET http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 999 4445 "-" "-" 82.39.175.52 - - [30/Jan/2006:15:08:35 -0200] "GET http://l1.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=... HTTP/1.0" 502 961 "-" "-" 80.144.212.33 - - [30/Jan/2006:15:08:43 -0200] "GET http://www.995members.com/members/ HTTP/1.0" 401 472 "http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows NT5.1; DigiExt )" 12.206.3.132 - - [30/Jan/2006:15:08:46 -0200] "GET http://us.a1.yimg.com/login.bjs.yahoo.com/config/login?login=big_g_&pass... HTTP/1.0" 200 4440 "http://www.yahoo.com/" "-" 84.109.4.111 - - [30/Jan/2006:15:08:51 -0200] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
I guess that hacker is using my SERVR APACHE to PROXY.
Correct. The log provided show that. Looks like your host is already known to a crowd of misusers or the one who found you is already using several hosts to do his actions (see the originating IPs).
Please, I need help urgent.
What do you expect? We don't know your Apache setup. Go through your httpd.conf and included configuration files and deactivate proxying - or at least make it secure if you need it for specific tasks.
I stoped service HTTPD because it.
Good.
Adriano
Alexander
On Mon, 2006-01-30 at 12:17, Adriano Frare wrote:
I use Centos 4.2 with all service pack installed. I verified traffic on link WEB and I see port TCP 80 with many traffic.
I accessed lod /var/log/httpd/access_log and show below.
ca.com/members/index.php HTTP/1.0" 401 - "http://members.sapphicerotica.com/members/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )" 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9794 "-" "-"
I guess that hacker is using my SERVR APACHE to PROXY.
The stock httpd.conf should have the #ProxyRequests On entry commented out as above. If you need to have it enabled you should control access with 'allow from' directives: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
I changed httpd.conf to
ProxyRequests Off ProxyVia Off
And Priblem contine.
Adriano Frare
Les Mikesell wrote:
On Mon, 2006-01-30 at 12:17, Adriano Frare wrote:
I use Centos 4.2 with all service pack installed. I verified traffic on link WEB and I see port TCP 80 with many traffic.
I accessed lod /var/log/httpd/access_log and show below.
ca.com/members/index.php HTTP/1.0" 401 - "http://members.sapphicerotica.com/members/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )" 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/ser... HTTP/1.0" 200 9794 "-" "-"
I guess that hacker is using my SERVR APACHE to PROXY.
The stock httpd.conf should have the #ProxyRequests On entry commented out as above. If you need to have it enabled you should control access with 'allow from' directives: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
Are you sure you're editing the proper httpd.conf file? If your machine has been hacked, it might not be using the default config anymore. While you're at it, find and run one of the rootkit detection suites and see if you've got other nasties running quietly hidden. If so, the only SURE way to clean things up is to take the box down and re-install from known-good media.
Cheers,
Adriano Frare wrote:
I changed httpd.conf to
ProxyRequests Off ProxyVia Off
And Priblem contine.
On Mon, 2006-01-30 at 13:13, Adriano Frare wrote:
I changed httpd.conf to
ProxyRequests Off ProxyVia Off
And Priblem contine.
You have to restart httpd to make a change take effect. Also, this is a global setting - it can be changed for any specific virtual hosts with other entries.
Excuse me.
The options bellow worked.
ProxyRequests Off ProxyVia Off
Thaks for all!!!!
Adriano
Les Mikesell wrote:
On Mon, 2006-01-30 at 13:13, Adriano Frare wrote:
I changed httpd.conf to
ProxyRequests Off ProxyVia Off
And Priblem contine.
You have to restart httpd to make a change take effect. Also, this is a global setting - it can be changed for any specific virtual hosts with other entries.
Adriano Frare wrote:
I changed httpd.conf to
ProxyRequests Off ProxyVia Off
And Priblem contine.
Adriano Frare
Are you sure your problem is continuing, can you post a small section of your logs from after turning off ProxyRequests?
-Mike
Also your time seems to be off on your computer.
-
Adriano Frare -
Alexander Dalloz -
Chris Mauritz -
Les Mikesell -
Michael Best