SUMMARY:still hacking proxy-attempts accepted by webserver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: SUMMARY:still hacking proxy-attempts accepted by webserver
From: Rob De Langhe <rob.de.langhe@xxxxxxxxxxxx>
Date: Thu, 07 Jul 2011 11:36:02 +0200
In-reply-to: <20110701095449.10942xoi72fnfbyo@www.twistfare.be>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.3.8)

thx to Eric Covener (the sole replier on my mail), he pointed me in the right direction :

Without any 'proxy' modules loaded, I needed to configure a 'honeypot' virtualhost to catch any request that doesn't contain one of my hostnames (like "www.mydomain.be"), and deny access to them all.

By placing this extra virtualhost as the first in the config, it becomes the "default" one.

These are the config lines I added :

<VirtualHost *:80>
    ServerName default.only
    <Location "/">
           order allow,deny
           Deny from all
    </Location>
</VirtualHost>

works like a charm.

Testing is done with a TELNET to my web server's internal IP address, port 80, and entering the following:

GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com

(followed by double newlines)

cheers

Rob

Citeren Rob De Langhe <rob.de.langhe@xxxxxxxxxxxx>:

hi,

despite me disabling the "proxy*" modules from my Apache, I see still occasionally some succesfull hack attempts via my server (code 200) :

125.46.73.7 - - [30/Jun/2011:11:54:09 +0200] "GET http://www.baidu.com/ HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"

The loaded modules in my Apache are :

# /usr/apache2/bin/httpd -M | sort
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_dbm_module (shared)
authn_default_module (shared)
authn_file_module (shared)
authz_dbm_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
core_module (static)
dbd_module (shared)
dir_module (shared)
dumpio_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
http_module (static)
include_module (shared)
log_config_module (shared)
logio_module (shared)
mime_module (shared)
mpm_prefork_module (static)
negotiation_module (shared)
php5_module (shared)
setenvif_module (shared)
so_module (static)
ssl_module (shared)
vhost_alias_module (shared)

Can anyone please shed some light on this mystery ?

thx a lot in advance
Rob

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

References:
- still hacking proxy-attempts accepted by webserver
  - From: Rob De Langhe

Prev by Date: Re: Canonicalizing Domains / Hostnames
Next by Date: i am losing my hairs
Previous by thread: Re: still hacking proxy-attempts accepted by webserver
Next by thread: two name-based virtual hosts does not work
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]