[Box-Admins] The story from the log files

Chris Cunnington smalltalktelevision at gmail.com
Thu Oct 25 12:43:54 UTC 2012 

Levente was right about the open proxy exploitation. [1] It has stopped 
now. [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct. 
This server is on CEST time, so subtracting six hours that would be 1:52 
here in eastern North America. The GET requests display explotation when 
they are asking for a server that is not ours. The request for 
http://ad.yieldmanager.com is an example. I don't suppose there's any 
real damage, but it is my mistake.

The open proxy exploitation was followed by many POST requests. [2] 
Notice the size of this log file:

-rw-r----- 1 root adm  2173022665 Oct 25 14:20 other_vhosts_access.log

What is that? To my eyes that's 2.02 Gigs of data collected over maybe 
~72 hours. Many [2] are POST requests. I can't say what ajaxExecutors or 
ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure 
what part. I'll look into it.

Actually, I'm wrong. [3]. We're still being exploited as an open proxy. 
Those are the latest results from the log file.

I've changed the stanza to and restarted:

<VirtualHost *:80>
     ServerName www.squeakci.org
     ServerAlias squeakci.org
     ProxyRequests Off
     ProxyPreserveHost On
     ProxyPass / http://127.0.0.1:8080/
     ProxyPassReverse / http://127.0.0.1:8080/
     <Proxy *>
         Order deny,allow
         Allow from all
     </Proxy>
</VirtualHost>

And will check the log file again in two hours.

Chris


[1]

92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors 
HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 
Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST 
/ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like 
Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET 
http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL} 
HTTP/1.0" 200 4982 "http://www.file4dvd.com" "Mozilla/4.0 (compatible; 
MSIE 5.01; Windows 98)"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET 
http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 
HTTP/1.0" 302 712 
"http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
"Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET 
http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 
HTTP/1.0" 302 751 
"http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
"Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST 
/ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like 
Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET 
http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1&SIG=10vqkkp1b;x-cookie=2awvieq88pp7t&o=3&f=hn 
HTTP/1.0" 200 1806 
"http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
"Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

[2]

92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors 
HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 
Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST 
/ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like 
Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST 
/ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like 
Gecko) Version/6.0.1 Safari/536.26.14"


[3]

108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 
HTTP/1.0" 404 558 
"http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzIxOjIwMTItMDEtMjAtMDAtMjAtNDMmY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" 
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR 
2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)"
www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1949015 
HTTP/1.0" 404 558 "http://www.suddengame.com/index.html" "Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 
5.0; .NET CLR 2.0.50727)"
www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90&section=2898706&pub_url=${PUB_URL} 
HTTP/1.0" 404 558 
"http://femaleapple.com/index.php?option=com_content&view=article&id=6299:2012-01-15-02-21-55&catid=42:health-retreats-for-women&Itemid=98" 
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5) 
Gecko/2008120122 Firefox/3.0.5"
www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250&section=2933804&pub_url=${PUB_URL} 
HTTP/1.0" 404 558 
"http://bestmylive.com/index.php?option=com_mailto&tmpl=component&link=73209a6d834187689d81fdf71892184b784d8229" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)"
www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600&section=3542181&pub_url=${PUB_URL} 
HTTP/1.0" 404 558 
"http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2Zhc2hpb25hcnJvdy5jb20vaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MjY0OTI6MjAxMS0xMi0xOS0xNi00OS0yMSZjYXRpZD00MDpzaG9wLW9ubGluZS1mYXNoaW9uJkl0ZW1pZD05Ng==" 
"Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201 
Firefox/3.5.6 Opera 10.53"
www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 
HTTP/1.0" 404 558 
"http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzQ3OjIwMTItMDEtMjAtMDAtMjAtNTImY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" 
"Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)"
www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4 
HTTP/1.0" 404 558 
"http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-travel&id=3332%3A2012-09-28-09-22-24&format=pdf&option=com_content&Itemid=53" 
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko) 
Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35"
www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET 
http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250&section=2186435&pub_url=${PUB_URL} 
HTTP/1.0" 404 558 
"http://www.ttfemalehealth.com/index.php?option=com_content&view=article&id=1675:2011-07-11-01-05-13&catid=37:mental-health&Itemid=56" 
"Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10"
www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET 
http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250&section=3256421&pub_url=${PUB_URL} 
HTTP/1.0" 404 558 
"http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=8455%3A2012-05-16-13-06-32&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=54" 
"Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"

More information about the Box-Admins mailing list