[Box-Admins] The story from the log files

Thu Oct 25 13:19:50 UTC 2012

The ProxyRequests Off line stops apache working as a forward proxy. The 
<proxy> block is only necessary to allow proxying if other parts of the 
apache config deny it (default on most linuxes). More details here: 
https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache

Currently the server returns a 200 response for all non-local request, but 
it serves the jenkins page instead of what was requested. In order to get 
rid of this extra load we should reject all non-local requests. It can be 
done with RewriteEngine:

execute: sudo a2enmod rewrite

add the following to the configuration:

         RewriteEngine On
         RewriteCond %{THE_REQUEST} ^GET\ http(s?)://
         RewriteRule .* - [F]

Then restart apache.

Levente

On Thu, 25 Oct 2012, Chris Cunnington wrote:

>
> Levente was right about the open proxy exploitation. [1] It has stopped now. 
> [Editor's Note: No it hasn't.] The last one was at 7:52 on 23 Oct. This 
> server is on CEST time, so subtracting six hours that would be 1:52 here in 
> eastern North America. The GET requests display explotation when they are 
> asking for a server that is not ours. The request for 
> http://ad.yieldmanager.com is an example. I don't suppose there's any real 
> damage, but it is my mistake.
>
> The open proxy exploitation was followed by many POST requests. [2] Notice 
> the size of this log file:
>
> -rw-r----- 1 root adm  2173022665 Oct 25 14:20 other_vhosts_access.log
>
> What is that? To my eyes that's 2.02 Gigs of data collected over maybe ~72 
> hours. Many [2] are POST requests. I can't say what ajaxExecutors or 
> ajaxBuildQueue is. It is definitely part of Jenkins, I'm just not sure what 
> part. I'll look into it.
>
> Actually, I'm wrong. [3]. We're still being exploited as an open proxy. Those 
> are the latest results from the log file.
>
> I've changed the stanza to and restarted:
>
> <VirtualHost *:80>
>    ServerName www.squeakci.org
>    ServerAlias squeakci.org
>    ProxyRequests Off
>    ProxyPreserveHost On
>    ProxyPass / http://127.0.0.1:8080/
>    ProxyPassReverse / http://127.0.0.1:8080/
>    <Proxy *>
>        Order deny,allow
>        Allow from all
>    </Proxy>
> </VirtualHost>
>
> And will check the log file again in two hours.
>
> Chris
>
>
> [1]
>
> 92.17.231.188 - - [23/Oct/2012:07:52:54 +0200] "POST /ajaxExecutors HTTP/1.1" 
> 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 
> 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 
> Safari/536.26.14"
> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:55 +0200] "POST 
> /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 
> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) 
> Version/6.0.1 Safari/536.26.14"
> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:55 +0200] "GET 
> http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL} 
> HTTP/1.0" 200 4982 "http://www.file4dvd.com" "Mozilla/4.0 (compatible; MSIE 
> 5.01; Windows 98)"
> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:56 +0200] "GET 
> http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 
> HTTP/1.0" 302 712 
> "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:57 +0200] "GET 
> http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rmsj29b/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1 
> HTTP/1.0" 302 751 
> "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:07:52:59 +0200] "POST 
> /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 
> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) 
> Version/6.0.1 Safari/536.26.14"
> www.squeakci.org:80 184.22.82.217 - - [23/Oct/2012:07:52:59 +0200] "GET 
> http://ad.yieldmanager.com/imp?Z=300x250&s=3007994&T=3&_salt=1911752854&B=12&m=2&u=http%3A%2F%2Fwww.file4dvd.com%2F&r=1&SIG=10vqkkp1b;x-cookie=2awvieq88pp7t&o=3&f=hn 
> HTTP/1.0" 200 1806 
> "http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=3007994&pub_url=${PUB_URL}" 
> "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
>
> [2]
>
> 92.17.231.188 - - [23/Oct/2012:04:41:01 +0200] "POST /ajaxExecutors HTTP/1.1" 
> 200 545 "http://squeakci.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 
> 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 
> Safari/536.26.14"
> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:03 +0200] "POST 
> /ajaxBuildQueue HTTP/1.1" 200 415 "http://squeakci.org/" "Mozilla/5.0 
> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) 
> Version/6.0.1 Safari/536.26.14"
> www.squeakci.org:80 92.17.231.188 - - [23/Oct/2012:04:41:06 +0200] "POST 
> /ajaxExecutors HTTP/1.1" 200 545 "http://squeakci.org/" "Mozilla/5.0 
> (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) 
> Version/6.0.1 Safari/536.26.14"
>
>
> [3]
>
> 108.62.111.169 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 
> HTTP/1.0" 404 558 
> "http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzIxOjIwMTItMDEtMjAtMDAtMjAtNDMmY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" 
> "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; .NET CLR 
> 2.0.50727; SLCC1; Media Center PC 5.0; .NET CLR 3.0.04506)"
> www.squeakci.org:80 50.93.195.16 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1949015 
> HTTP/1.0" 404 558 "http://www.suddengame.com/index.html" "Mozilla/4.0 
> (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; 
> .NET CLR 2.0.50727)"
> www.squeakci.org:80 23.19.67.38 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.adserverplus.com/st?ad_type=iframe&ad_size=728x90&section=2898706&pub_url=${PUB_URL} 
> HTTP/1.0" 404 558 
> "http://femaleapple.com/index.php?option=com_content&view=article&id=6299:2012-01-15-02-21-55&catid=42:health-retreats-for-women&Itemid=98" 
> "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.5) Gecko/2008120122 
> Firefox/3.0.5"
> www.squeakci.org:80 108.62.178.236 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.tagjunction.com/st?ad_type=iframe&ad_size=300x250&section=2933804&pub_url=${PUB_URL} 
> HTTP/1.0" 404 558 
> "http://bestmylive.com/index.php?option=com_mailto&tmpl=component&link=73209a6d834187689d81fdf71892184b784d8229" 
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)"
> www.squeakci.org:80 108.62.75.188 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.globe7.com/st?ad_type=iframe&ad_size=160x600&section=3542181&pub_url=${PUB_URL} 
> HTTP/1.0" 404 558 
> "http://fashionarrow.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2Zhc2hpb25hcnJvdy5jb20vaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MjY0OTI6MjAxMS0xMi0xOS0xNi00OS0yMSZjYXRpZD00MDpzaG9wLW9ubGluZS1mYXNoaW9uJkl0ZW1pZD05Ng==" 
> "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 
> Opera 10.53"
> www.squeakci.org:80 173.208.94.17 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.scanmedios.com/st?ad_type=iframe&ad_size=160x600&section=3522623 
> HTTP/1.0" 404 558 
> "http://classidressing.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2NsYXNzaWRyZXNzaW5nLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD05MzQ3OjIwMTItMDEtMjAtMDAtMjAtNTImY2F0aWQ9NDU6d29tZW4tZmFzaGlvbi10cmVuZHMmSXRlbWlkPTEwMQ==" 
> "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)"
> www.squeakci.org:80 142.91.189.9 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ads1.ministerial5.com/creative/2-002134057-00001i;size=4 HTTP/1.0" 404 
> 558 
> "http://travellingonroad.com/index.php?view=article&catid=34%3Acheap-travel&id=3332%3A2012-09-28-09-22-24&format=pdf&option=com_content&Itemid=53" 
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.35 (KHTML, like Gecko) 
> Ubuntu/10.10 Chromium/13.0.764.0 Chrome/13.0.764.0 Safari/534.35"
> www.squeakci.org:80 142.91.217.190 - - [25/Oct/2012:14:30:30 +0200] "GET 
> http://ad.globaltakeoff.net/st?ad_type=iframe&ad_size=300x250&section=2186435&pub_url=${PUB_URL} 
> HTTP/1.0" 404 558 
> "http://www.ttfemalehealth.com/index.php?option=com_content&view=article&id=1675:2011-07-11-01-05-13&catid=37:mental-health&Itemid=56" 
> "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.8.99 Version/11.10"
> www.squeakci.org:80 142.91.189.47 - - [25/Oct/2012:14:30:31 +0200] "GET 
> http://ad.adserverplus.com/st?ad_type=iframe&ad_size=300x250&section=3256421&pub_url=${PUB_URL} 
> HTTP/1.0" 404 558 
> "http://newsja.com/index.php?view=article&catid=35%3Acelebrity&id=8455%3A2012-05-16-13-06-32&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=54" 
> "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
>