[Box-Admins] The story from the log files

Thu Oct 25 13:50:04 UTC 2012

OK. You want to identify all non-local requests and nullify them. I am away
from a terminal at the moment, so I'll be able to do it in an hour.

Chris

On Thu, Oct 25, 2012 at 9:19 AM, Levente Uzonyi <leves at elte.hu> wrote:

> The ProxyRequests Off line stops apache working as a forward proxy. The
> <proxy> block is only necessary to allow proxying if other parts of the
> apache config deny it (default on most linuxes). More details here:
> https://wiki.jenkins-ci.org/**display/JENKINS/Running+**
> Jenkins+behind+Apache<https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache>
>
> Currently the server returns a 200 response for all non-local request, but
> it serves the jenkins page instead of what was requested. In order to get
> rid of this extra load we should reject all non-local requests. It can be
> done with RewriteEngine:
>
> execute: sudo a2enmod rewrite
>
> add the following to the configuration:
>
>         RewriteEngine On
>         RewriteCond %{THE_REQUEST} ^GET\ http(s?)://
>         RewriteRule .* - [F]
>
> Then restart apache.
>
>
> Levente
>
>
> On Thu, 25 Oct 2012, Chris Cunnington wrote:
>
>
>> Levente was right about the open proxy exploitation. [1] It has stopped
>> now. [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct.
>> This server is on CEST time, so subtracting six hours that would be 1:52
>> here in eastern North America. The GET requests display explotation when
>> they are asking for a server that is not ours. The request for
>> http://ad.yieldmanager.com is an example. I don't suppose there's any
>> real damage, but it is my mistake.
>>
>> The open proxy exploitation was followed by many POST requests. [2]
>> Notice the size of this log file:
>>
>> -rw-r----- 1 root adm  2173022665 Oct 25 14:20 other_vhosts_access.log
>>
>> What is that? To my eyes that's 2.02 Gigs of data collected over maybe
>> ~72 hours. Many [2] are POST requests. I can't say what ajaxExecutors or
>> ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure what
>> part. I'll look into it.
>>
>> Actually, I'm wrong. [3]. We're still being exploited as an open proxy.
>> Those are the latest results from the log file.
>>
>> I've changed the stanza to and restarted:
>>
>> <VirtualHost *:80>
>>    ServerName www.squeakci.org
>>    ServerAlias squeakci.org
>>    ProxyRequests Off
>>    ProxyPreserveHost On
>>    ProxyPass / http://127.0.0.1:8080/
>>    ProxyPassReverse / http://127.0.0.1:8080/
>>    <Proxy *>
>>        Order deny,allow
>>        Allow from all
>>    </Proxy>
>> </VirtualHost>
>>
>> And will check the log file again in two hours.
>>
>> Chris
>>
>>
>> [1]
>>
>> 92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors
>> HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel
>> Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1
>> Safari/536.26.14"
>> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST
>> /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0
>> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like
>> Gecko) Version/6.0.1 Safari/536.26.14"
>> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET
>> http://ad.yieldmanager.com/st?**ad_type=iframe&ad_size=**
>> 300x250&section=3007994&pub_**url=${PUB_URL}<http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 200 4982 "
>> http://www.file4dvd.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows
>> 98)"
>> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET
>> http://ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_**
>> salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%**2F&r=1<http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1>HTTP/1.0" 302 712 "
>> http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=**
>> 300x250&section=3007994&pub_**url=${PUB_URL}<http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=$%7BPUB_URL%7D>"
>> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
>> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET
>> http://cookex.amp.yahoo.com/**v2/cexposer/SIG=13rmsj29b/***
>> http%3A//ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_**
>> salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%**2F&r=1<http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1>HTTP/1.0" 302 751 "
>> http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=**
>> 300x250&section=3007994&pub_**url=${PUB_URL}<http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=$%7BPUB_URL%7D>"
>> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
>> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST
>> /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0
>> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like
>> Gecko) Version/6.0.1 Safari/536.26.14"
>> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET
>> http://ad.yieldmanager.com/**imp?Z=300x250&s=3007994&T=3&_**
>> salt=1911752854&B=12&m=2&u=**http%3A%2F%2Fwww.file4dvd.com%**
>> 2F&r=1&SIG=10vqkkp1b;x-cookie=**2awvieq88pp7t&o=3&f=hn<http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1&SIG=10vqkkp1b;x-cookie=2awvieq88pp7t&o=3&f=hn>HTTP/1.0" 200 1806 "
>> http://ad.yieldmanager.com/**st?ad_type=iframe&ad_size=**
>> 300x250&section=3007994&pub_**url=${PUB_URL}<http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=$%7BPUB_URL%7D>"
>> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
>>
>> [2]
>>
>> 92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors
>> HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel
>> Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1
>> Safari/536.26.14"
>> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST
>> /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0
>> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like
>> Gecko) Version/6.0.1 Safari/536.26.14"
>> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST
>> /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0
>> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like
>> Gecko) Version/6.0.1 Safari/536.26.14"
>>
>>
>> [3]
>>
>> 108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.scanmedios.com/st?**ad_type=iframe&ad_size=**
>> 160x600&section=3522623<http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623>HTTP/1.0" 404 558 "
>> http://classidressing.com/**index.php?option=com_mailto&**
>> tmpl=component&link=**aHR0cDovL2NsYXNzaWRyZXNzaW5nLm**NvbS9pbmRleC5waHA/*
>> *b3B0aW9uPWNvbV9jb250ZW50JnZpZX**c9YXJ0aWNsZSZpZD05MzIxOjIwMTIt**
>> MDEtMjAtMDAtMjAtNDMmY2F0aWQ9ND**U6d29tZW4tZmFzaGlvbi10cmVuZHMm**
>> SXRlbWlkPTEwMQ==<http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzIxOjIwMTItMDEtMjAtMDAtMjAtNDMmY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==>"
>> "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR
>> 2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)"
>> www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.yieldmanager.com/st?**ad_type=iframe&ad_size=**
>> 300x250&section=1949015<http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1949015>HTTP/1.0" 404 558 "
>> http://www.suddengame.com/**index.html<http://www.suddengame.com/index.html>"
>> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media
>> Center PC 5.0; .NET CLR 2.0.50727)"
>> www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.adserverplus.com/st?**ad_type=iframe&ad_size=728x90&**
>> section=2898706&pub_url=${PUB_**URL}<http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90&section=2898706&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 404 558 "
>> http://femaleapple.com/index.**php?option=com_content&view=**
>> article&id=6299:2012-01-15-02-**21-55&catid=42:health-**
>> retreats-for-women&Itemid=98<http://femaleapple.com/index.php?option=com_content&view=article&id=6299:2012-01-15-02-21-55&catid=42:health-retreats-for-women&Itemid=98>"
>> "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5)
>> Gecko/2008120122 Firefox/3.0.5"
>> www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.tagjunction.com/st?**ad_type=iframe&ad_size=**
>> 300x250&section=2933804&pub_**url=${PUB_URL}<http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250&section=2933804&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 404 558 "
>> http://bestmylive.com/index.**php?option=com_mailto&tmpl=**
>> component&link=**73209a6d834187689d81fdf7189218**4b784d8229<http://bestmylive.com/index.php?option=com_mailto&tmpl=component&link=73209a6d834187689d81fdf71892184b784d8229>"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)"
>> www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.globe7.com/st?ad_**type=iframe&ad_size=160x600&**
>> section=3542181&pub_url=${PUB_**URL}<http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600&section=3542181&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 404 558 "
>> http://fashionarrow.com/**index.php?option=com_mailto&**
>> tmpl=component&link=**aHR0cDovL2Zhc2hpb25hcnJvdy5jb2**
>> 0vaW5kZXgucGhwP29wdGlvbj1jb21f**Y29udGVudCZ2aWV3PWFydGljbGUmaW**
>> Q9MjY0OTI6MjAxMS0xMi0xOS0xNi00**OS0yMSZjYXRpZD00MDpzaG9wLW9ubG**
>> luZS1mYXNoaW9uJkl0ZW1pZD05Ng==<http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2Zhc2hpb25hcnJvdy5jb20vaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MjY0OTI6MjAxMS0xMi0xOS0xNi00OS0yMSZjYXRpZD00MDpzaG9wLW9ubGluZS1mYXNoaW9uJkl0ZW1pZD05Ng==>
>> **" "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201
>> Firefox/3.5.6 Opera 10.53"
>> www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.scanmedios.com/st?**ad_type=iframe&ad_size=**
>> 160x600&section=3522623<http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623>HTTP/1.0" 404 558 "
>> http://classidressing.com/**index.php?option=com_mailto&**
>> tmpl=component&link=**aHR0cDovL2NsYXNzaWRyZXNzaW5nLm**NvbS9pbmRleC5waHA/*
>> *b3B0aW9uPWNvbV9jb250ZW50JnZpZX**c9YXJ0aWNsZSZpZD05MzQ3OjIwMTIt**
>> MDEtMjAtMDAtMjAtNTImY2F0aWQ9ND**U6d29tZW4tZmFzaGlvbi10cmVuZHMm**
>> SXRlbWlkPTEwMQ==<http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzQ3OjIwMTItMDEtMjAtMDAtMjAtNTImY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==>"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)"
>> www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ads1.ministerial5.com/**creative/2-002134057-00001i;**size=4<http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4>HTTP/1.0" 404 558 "
>> http://travellingonroad.com/**index.php?view=article&catid=**
>> 34%3Acheap-travel&id=3332%**3A2012-09-28-09-22-24&format=**
>> pdf&option=com_content&Itemid=**53<http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-travel&id=3332%3A2012-09-28-09-22-24&format=pdf&option=com_content&Itemid=53>"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko)
>> Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35"
>> www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET
>> http://ad.globaltakeoff.net/**st?ad_type=iframe&ad_size=**
>> 300x250&section=2186435&pub_**url=${PUB_URL}<http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250&section=2186435&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 404 558 "
>> http://www.ttfemalehealth.**com/index.php?option=com_**
>> content&view=article&id=1675:**2011-07-11-01-05-13&catid=37:**
>> mental-health&Itemid=56<http://www.ttfemalehealth.com/index.php?option=com_content&view=article&id=1675:2011-07-11-01-05-13&catid=37:mental-health&Itemid=56>"
>> "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10"
>> www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET
>> http://ad.adserverplus.com/st?**ad_type=iframe&ad_size=**
>> 300x250&section=3256421&pub_**url=${PUB_URL}<http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250&section=3256421&pub_url=$%7BPUB_URL%7D>HTTP/1.0" 404 558 "
>> http://newsja.com/index.php?**view=article&catid=35%**
>> 3Acelebrity&id=8455%3A2012-05-**16-13-06-32&tmpl=component&**
>> print=1&layout=default&page=&**option=com_content&Itemid=54<http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=8455%3A2012-05-16-13-06-32&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=54>"
>> "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/box-admins/attachments/20121025/636d743c/attachment-0001.htm