OK. You want to identify all non-local requests and nullify them. I am away from a terminal at the moment, so I'll be able to do it in an hour.
Chris
On Thu, Oct 25, 2012 at 9:19 AM, Levente Uzonyi leves@elte.hu wrote:
The ProxyRequests Off line stops apache working as a forward proxy. The <proxy> block is only necessary to allow proxying if other parts of the apache config deny it (default on most linuxes). More details here: https://wiki.jenkins-ci.org/**display/JENKINS/Running+** Jenkins+behind+Apachehttps://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
Currently the server returns a 200 response for all non-local request, but it serves the jenkins page instead of what was requested. In order to get rid of this extra load we should reject all non-local requests. It can be done with RewriteEngine:
execute: sudo a2enmod rewrite
add the following to the configuration:
RewriteEngine On RewriteCond %{THE_REQUEST} ^GET\ http(s?):// RewriteRule .* - [F]
Then restart apache.
Levente
On Thu, 25 Oct 2012, Chris Cunnington wrote:
Levente was right about the open proxy exploitation. [1] It has stopped now. [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct. This server is on CEST time, so subtracting six hours that would be 1:52 here in eastern North America. The GET requests display explotation when they are asking for a server that is not ours. The request for http://ad.yieldmanager.com is an example. I don't suppose there's any real damage, but it is my mistake.
The open proxy exploitation was followed by many POST requests. [2] Notice the size of this log file:
-rw-r----- 1 root adm 2173022665 Oct 25 14:20 other_vhosts_access.log
What is that? To my eyes that's 2.02 Gigs of data collected over maybe ~72 hours. Many [2] are POST requests. I can't say what ajaxExecutors or ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure what part. I'll look into it.
Actually, I'm wrong. [3]. We're still being exploited as an open proxy. Those are the latest results from the log file.
I've changed the stanza to and restarted:
<VirtualHost *:80> ServerName www.squeakci.org ServerAlias squeakci.org ProxyRequests Off ProxyPreserveHost On ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ <Proxy *> Order deny,allow Allow from all
</Proxy> </VirtualHost>
And will check the log file again in two hours.
Chris
[1]
92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET http://ad.yieldmanager.com/st?**ad_type=iframe&ad_size=** 300x250§ion=3007994&pub_**url=${PUB_URL}http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250§ion=3007994&pub_url=$%7BPUB_URL%7DHTTP/1.0" 200 4982 " http://www.file4dvd.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET http://ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_** salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%**2F&r=1http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1HTTP/1.0" 302 712 " http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=** 300x250§ion=3007994&pub_**url=${PUB_URL}http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250§ion=3007994&pub_url=$%7BPUB_URL%7D" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET http://cookex.amp.yahoo.com/**v2/cexposer/SIG=13rmsj29b/*** http%3A//ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_** salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%**2F&r=1http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1HTTP/1.0" 302 751 " http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=** 300x250§ion=3007994&pub_**url=${PUB_URL}http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250§ion=3007994&pub_url=$%7BPUB_URL%7D" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET http://ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_** salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%** 2F&r=1&SIG=10vqkkp1b;x-cookie=**2awvieq88pp7t&o=3&f=hnhttp://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1&SIG=10vqkkp1b;x-cookie=2awvieq88pp7t&o=3&f=hnHTTP/1.0" 200 1806 " http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=** 300x250§ion=3007994&pub_**url=${PUB_URL}http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250§ion=3007994&pub_url=$%7BPUB_URL%7D" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
[2]
92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14" www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
[3]
108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?**ad_type=iframe&ad_size=** 160x600§ion=3522623http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600§ion=3522623HTTP/1.0" 404 558 " http://classidressing.com/**index.php?option=com_mailto&** tmpl=component&link=**aHR0cDovL2NsYXNzaWRyZXNzaW5nLm**NvbS9pbmRleC5waHA/* *b3B0aW9uPWNvbV9jb250ZW50JnZpZX**c9YXJ0aWNsZSZpZD05MzIxOjIwMTIt** MDEtMjAtMDAtMjAtNDMmY2F0aWQ9ND**U6d29tZW4tZmFzaGlvbi10cmVuZHMm** SXRlbWlkPTEwMQ==http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzIxOjIwMTItMDEtMjAtMDAtMjAtNDMmY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR 2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)" www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.yieldmanager.com/st?**ad_type=iframe&ad_size=** 300x250§ion=1949015http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250§ion=1949015HTTP/1.0" 404 558 " http://www.suddengame.com/**index.htmlhttp://www.suddengame.com/index.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; .NET CLR 2.0.50727)" www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.adserverplus.com/st?**ad_type=iframe&ad_size=728x90&** section=2898706&pub_url=${PUB_**URL}http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90§ion=2898706&pub_url=$%7BPUB_URL%7DHTTP/1.0" 404 558 " http://femaleapple.com/index.**php?option=com_content&view=** article&id=6299:2012-01-15-02-**21-55&catid=42:health-** retreats-for-women&Itemid=98http://femaleapple.com/index.php?option=com_content&view=article&id=6299:2012-01-15-02-21-55&catid=42:health-retreats-for-women&Itemid=98" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.tagjunction.com/st?**ad_type=iframe&ad_size=** 300x250§ion=2933804&pub_**url=${PUB_URL}http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250§ion=2933804&pub_url=$%7BPUB_URL%7DHTTP/1.0" 404 558 " http://bestmylive.com/index.**php?option=com_mailto&tmpl=** component&link=**73209a6d834187689d81fdf7189218**4b784d8229http://bestmylive.com/index.php?option=com_mailto&tmpl=component&link=73209a6d834187689d81fdf71892184b784d8229" "Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)" www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globe7.com/st?ad_**type=iframe&ad_size=160x600&** section=3542181&pub_url=${PUB_**URL}http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600§ion=3542181&pub_url=$%7BPUB_URL%7DHTTP/1.0" 404 558 " http://fashionarrow.com/**index.php?option=com_mailto&** tmpl=component&link=**aHR0cDovL2Zhc2hpb25hcnJvdy5jb2** 0vaW5kZXgucGhwP29wdGlvbj1jb21f**Y29udGVudCZ2aWV3PWFydGljbGUmaW** Q9MjY0OTI6MjAxMS0xMi0xOS0xNi00**OS0yMSZjYXRpZD00MDpzaG9wLW9ubG** luZS1mYXNoaW9uJkl0ZW1pZD05Ng==http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2Zhc2hpb25hcnJvdy5jb20vaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MjY0OTI6MjAxMS0xMi0xOS0xNi00OS0yMSZjYXRpZD00MDpzaG9wLW9ubGluZS1mYXNoaW9uJkl0ZW1pZD05Ng== **" "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53" www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?**ad_type=iframe&ad_size=** 160x600§ion=3522623http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600§ion=3522623HTTP/1.0" 404 558 " http://classidressing.com/**index.php?option=com_mailto&** tmpl=component&link=**aHR0cDovL2NsYXNzaWRyZXNzaW5nLm**NvbS9pbmRleC5waHA/* *b3B0aW9uPWNvbV9jb250ZW50JnZpZX**c9YXJ0aWNsZSZpZD05MzQ3OjIwMTIt** MDEtMjAtMDAtMjAtNTImY2F0aWQ9ND**U6d29tZW4tZmFzaGlvbi10cmVuZHMm** SXRlbWlkPTEwMQ==http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzQ3OjIwMTItMDEtMjAtMDAtMjAtNTImY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)" www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET http://ads1.ministerial5.com/**creative/2-002134057-00001i;**size=4http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4HTTP/1.0" 404 558 " http://travellingonroad.com/**index.php?view=article&catid=** 34%3Acheap-travel&id=3332%**3A2012-09-28-09-22-24&format=** pdf&option=com_content&Itemid=**53http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-travel&id=3332%3A2012-09-28-09-22-24&format=pdf&option=com_content&Itemid=53" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko) Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35" www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globaltakeoff.net/**st?ad_type=iframe&ad_size=** 300x250§ion=2186435&pub_**url=${PUB_URL}http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250§ion=2186435&pub_url=$%7BPUB_URL%7DHTTP/1.0" 404 558 " http://www.ttfemalehealth.**com/index.php?option=com_** content&view=article&id=1675:**2011-07-11-01-05-13&catid=37:** mental-health&Itemid=56http://www.ttfemalehealth.com/index.php?option=com_content&view=article&id=1675:2011-07-11-01-05-13&catid=37:mental-health&Itemid=56" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10" www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET http://ad.adserverplus.com/st?**ad_type=iframe&ad_size=** 300x250§ion=3256421&pub_**url=${PUB_URL}http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250§ion=3256421&pub_url=$%7BPUB_URL%7DHTTP/1.0" 404 558 " http://newsja.com/index.php?**view=article&catid=35%** 3Acelebrity&id=8455%3A2012-05-**16-13-06-32&tmpl=component&** print=1&layout=default&page=&**option=com_content&Itemid=54http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=8455%3A2012-05-16-13-06-32&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=54" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"