[Gllug] Have I been compromised??

Robert McKay rm at accucard.com
Tue Sep 3 08:03:45 UTC 2002 

On Mon, 2 Sep 2002, omphe wrote:

> Tom Gilbert wrote:
> 
> > Couple of things there, for one, why not show us the log entries you're
> > worried about? I'm sceptical myself, because for you to have people
> > connecting to your webserver on port 6667, you'd have to have
> > specifically configured it to listen on 6667 yourself.
> 
> I think I hit the panic button early.  I've been immersing myself in the
> security manuals, etc.  trying to just get my bearings. Nevertheless, this is
> proving very educational, so...
> 
> Here's an excerpt from my Apache access.log.  There are about five instances of
> this.  The 404/405's means these were denied, no?
> 
> 62.95.52.25 - - [20/May/2002:00:06:21 +0100] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 205
> 64.8.33.172 - - [06/Jun/2002:21:47:07 +0100] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 66.140.25.157 - - [23/Jul/2002:23:25:54 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231
> 66.140.25.157 - - [23/Jul/2002:23:41:18 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231
> 
> So, now I'll harden, remove services, and read, read, read, read, .....
> Aaaaaaaarrgh!!! I can't learn fast enough!!
> 
> Branden Faulls

Have you been connecting to IRC yourself? Someone has.. It's standard
procedure on many IRC networks (inc. openprojects.net which is the server
mentioned in your log there) to scan the connecting IP (eg: you)  for
insecure proxies before or after accepting the logon. When you connect to
them, they automatically connect back to you and try various things like
CONNECT on your http server. If it works you get booted, if it fails they
let you stay :)

The IP that hit you in the logs, 66.140.25.157 is
proxyscan.openprojects.net and its tried to connect to 209.131.227.242
(sendek.openprojects.net) so that's definitly what you're seeing in this
case.

Of course.. lots of other people randomly scan for open http proxies to
use for their own nefarious purposes and it's pretty common to see CONNECT
attempts from all over. As long as you don't have mod_proxy wide open it's
nothing to worry about, although if you ever are setting up mod_proxy (or
any other proxy server) make sure you don't leave it wide open to the
internet.

-Robert.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list