Levente was right about the open proxy exploitation. [1] It has stopped now. [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct. This server is on CEST time, so subtracting six hours that would be 1:52 here in eastern North America. The GET requests display explotation when they are asking for a server that is not ours. The request for http://ad.yieldmanager.com is an example. I don't suppose there's any real damage, but it is my mistake.
The open proxy exploitation was followed by many POST requests. [2] Notice the size of this log file:
-rw-r----- 1 root adm 2173022665 Oct 25 14:20 other_vhosts_access.log
What is that? To my eyes that's 2.02 Gigs of data collected over maybe ~72 hours. Many [2] are POST requests. I can't say what ajaxExecutors or ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure what part. I'll look into it.
Actually, I'm wrong. [3]. We're still being exploited as an open proxy. Those are the latest results from the log file.
I've changed the stanza to and restarted:
<VirtualHost *:80> ServerName www.squeakci.org ServerAlias squeakci.org ProxyRequests Off ProxyPreserveHost On ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ <Proxy *> Order deny,allow Allow from all </Proxy> </VirtualHost>
And will check the log file again in two hours.
Chris
[1]
92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=30... HTTP/1.0" 200 4982 "http://www.file4dvd.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=191... HTTP/1.0" 302 712 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=30..." "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmana... HTTP/1.0" 302 751 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=30..." "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=191... HTTP/1.0" 200 1806 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=30..." "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
[2]
92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
[3]
108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600%C2%A7ion=3522... HTTP/1.0" 404 558 "http://classidressing.com/index.php?option=com_mailto&tmpl=component&..." "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR 2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)" www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=19... HTTP/1.0" 404 558 "http://www.suddengame.com/index.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; .NET CLR 2.0.50727)" www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90%C2%A7ion=289... HTTP/1.0" 404 558 "http://femaleapple.com/index.php?option=com_content&view=article&id=..." "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=293... HTTP/1.0" 404 558 "http://bestmylive.com/index.php?option=com_mailto&tmpl=component&lin..." "Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)" www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600%C2%A7ion=3542181&... HTTP/1.0" 404 558 "http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&l..." "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53" www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600%C2%A7ion=3522... HTTP/1.0" 404 558 "http://classidressing.com/index.php?option=com_mailto&tmpl=component&..." "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)" www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4 HTTP/1.0" 404 558 "http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-trav..." "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko) Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35" www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250%C2%A7ion=2... HTTP/1.0" 404 558 "http://www.ttfemalehealth.com/index.php?option=com_content&view=article&..." "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10" www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250%C2%A7ion=32... HTTP/1.0" 404 558 "http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=845..." "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"