OK. You want to identify all non-local requests and nullify them. I am away from a terminal at the moment, so I'll be able to do it in an hour.

Chris

On Thu, Oct 25, 2012 at 9:19 AM, Levente Uzonyi <leves@elte.hu> wrote:
The ProxyRequests Off line stops apache working as a forward proxy. The <proxy> block is only necessary to allow proxying if other parts of the apache config deny it (default on most linuxes). More details here: https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache

Currently the server returns a 200 response for all non-local request, but it serves the jenkins page instead of what was requested. In order to get rid of this extra load we should reject all non-local requests. It can be done with RewriteEngine:

execute: sudo a2enmod rewrite

add the following to the configuration:

        RewriteEngine On
        RewriteCond %{THE_REQUEST} ^GET\ http(s?)://
        RewriteRule .* - [F]

Then restart apache.


Levente


On Thu, 25 Oct 2012, Chris Cunnington wrote:


Levente was right about the open proxy exploitation. [1] It has stopped now. [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct. This server is on CEST time, so subtracting six hours that would be 1:52 here in eastern North America. The GET requests display explotation when they are asking for a server that is not ours. The request for http://ad.yieldmanager.com is an example. I don't suppose there's any real damage, but it is my mistake.

The open proxy exploitation was followed by many POST requests. [2] Notice the size of this log file:

-rw-r----- 1 root adm  2173022665 Oct 25 14:20 other_vhosts_access.log

What is that? To my eyes that's 2.02 Gigs of data collected over maybe ~72 hours. Many [2] are POST requests. I can't say what ajaxExecutors or ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure what part. I'll look into it.

Actually, I'm wrong. [3]. We're still being exploited as an open proxy. Those are the latest results from the log file.

I've changed the stanza to and restarted:

<VirtualHost *:80>
   ServerName www.squeakci.org
   ServerAlias squeakci.org
   ProxyRequests Off
   ProxyPreserveHost On
   ProxyPass / http://127.0.0.1:8080/
   ProxyPassReverse / http://127.0.0.1:8080/
   <Proxy *>
       Order deny,allow
       Allow from all
   </Proxy>
</VirtualHost>

And will check the log file again in two hours.

Chris


[1]

92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL} HTTP/1.0" 200 4982 "http://www.file4dvd.com" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 HTTP/1.0" 302 712 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 HTTP/1.0" 302 751 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1&SIG=10vqkkp1b;x-cookie=2awvieq88pp7t&o=3&f=hn HTTP/1.0" 200 1806 "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

[2]

92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"
www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14"


[3]

108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 HTTP/1.0" 404 558 "http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzIxOjIwMTItMDEtMjAtMDAtMjAtNDMmY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR 2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)"
www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1949015 HTTP/1.0" 404 558 "http://www.suddengame.com/index.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; .NET CLR 2.0.50727)"
www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90&section=2898706&pub_url=${PUB_URL} HTTP/1.0" 404 558 "http://femaleapple.com/index.php?option=com_content&view=article&id=6299:2012-01-15-02-21-55&catid=42:health-retreats-for-women&Itemid=98" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250&section=2933804&pub_url=${PUB_URL} HTTP/1.0" 404 558 "http://bestmylive.com/index.php?option=com_mailto&tmpl=component&link=73209a6d834187689d81fdf71892184b784d8229" "Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)"
www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600&section=3542181&pub_url=${PUB_URL} HTTP/1.0" 404 558 "http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2Zhc2hpb25hcnJvdy5jb20vaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MjY0OTI6MjAxMS0xMi0xOS0xNi00OS0yMSZjYXRpZD00MDpzaG9wLW9ubGluZS1mYXNoaW9uJkl0ZW1pZD05Ng==" "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53"
www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 HTTP/1.0" 404 558 "http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzQ3OjIwMTItMDEtMjAtMDAtMjAtNTImY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)"
www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4 HTTP/1.0" 404 558 "http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-travel&id=3332%3A2012-09-28-09-22-24&format=pdf&option=com_content&Itemid=53" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko) Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35"
www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250&section=2186435&pub_url=${PUB_URL} HTTP/1.0" 404 558 "http://www.ttfemalehealth.com/index.php?option=com_content&view=article&id=1675:2011-07-11-01-05-13&catid=37:mental-health&Itemid=56" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10"
www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250&section=3256421&pub_url=${PUB_URL} HTTP/1.0" 404 558 "http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=8455%3A2012-05-16-13-06-32&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=54" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"