web server attack (solution & warning)

fbsd_user fbsd_user at a1poweruser.com
Sun Apr 9 16:31:55 UTC 2006

I received this reply from another list.

Going back to the very beginning of your first post - those web
requests you listed as seeing are a bit troublesome.  They all seem
to be probes against your web server to verify if you can be used as
an open proxy server.  The first two requests are from SOCKS proxy
checkers, the 3rd is an HTTP CONNECT check to see if your server
will connect to an SMTP host (for use by SPAMMERS) and the last is a
request to a normal website.  The probes themselves are not what
worries me, as these happen all the time.  What worries me are the
status codes returned by your web server - 200 OK.  This normally
means that your server processed these requests successfully.  Are
you using mod_security to return bogus HTTP Response Codes???  I
sure hope so, otherwise you need to disable the mod_proxy module

 I checked my Apache httpd.conf file. The FreeBSD port of the
Apache13 activates a lot of standard dso modules and one of then is
the proxy module. I had thought those dso modules had to have a
directive coded for it before it became active. I see now that is
not true. I commented out the load for the proxy module in my
httpd.conf file.

Since many people install the apache port for apache 13 and 2 all
these people have servers that are open for abuse and do not know
it.  The proxy dso module should not be included in the apache port.
Apache port user be ware.

   Make sure you don't have mod_proxy enabled in Apache....

More information about the freebsd-questions mailing list