Re: F19: Is this an httpd attack attempt?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Allegedly, on or about 03 March 2014, Dan Thurman sent:
> It looks to me like a successful indirect connection?
> 
> The following is taken from /var/log/httpd/access_log
> 
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" 

With a "GET" request that has a full URI rather than just a filepath to
something within your own website, that looks like they're trying to use
you as a proxy for whatever their nefarious aims are (which Apache *can*
do, but doesn't have to).  The "200" response means "okay," so it
apparently succeeded with 5264 bytes being sent.  Try the same sort of
hack, yourself, on your own server, to see what it does.  Though try
getting some other website, not the one that's playing games with you.

Since it's to a non-website, they may be pooling data of what fails and
succeeds, so they can make use of it later.  Which could be anything
from doing a hack on you, using you as a sacrificial proxy for illegal
activities, using you as a proxy to bypass state censorship, one of the
white hat hackers researching statistics on unsafe webservers, or
anything else that you can think of.

Because you don't know their motives, I'd consider them as being bad,
and worth doing something about.  Unless you are purposely using the
proxy features of Apache, disable them.  If you are making use of them,
then tighten up the configuration to only do what you want.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux