Activity missing from logs

We have an Apache server configured as a reverse proxy. Our firewall shows
a forty minut period of intense activity from a single IP address, from a
block of cable modem customers.

The Apache activity and error logs are continuous over that period, but
don't show ANY activity from the IP address in question. The IP address is
belongs to a customer, and we see normal activity at other times.

We haven't found any extra files or unknown processes of the server, but are
still looking.

All activity was over SSL. Any ideas about what could have caused this?
Nessus in STunnel?

<susato1@snet.net> wrote:

> We have an Apache server configured as a reverse proxy. Our firewall shows
> a forty minut period of intense activity from a single IP address, from a
> block of cable modem customers.

> The Apache activity and error logs are continuous over that period, but
> don't show ANY activity from the IP address in question. The IP address is
> belongs to a customer, and we see normal activity at other times.

Check the port or ports being hit in your firewall log. Specifically look
for hits on ports: 135 136 137 138 139 and 445. Other ports should
be checked as well. Chances are good you will find repeated hits
on ports 137, 139 and 445. Those ports should be closed or stealthed
to the public, but "maybe" open for a secure LAN.

It is very common for a machine to be infected which results in repeated
requests to an entire block of ip addresses, via cable, serving that machine's
general local region. Cable systems are actually a collection of LAN systems
connected to a large geographic region WAN server. Each LAN serves a
specific range of ip addresses, and the WAN serves all ip addresses within
the LAN collection region.

Your LAN -> Neighborhood LAN -> City LAN -> County LAN -> Regional WAN

My suggestion is you drop a router such as Linksys BEFSR41 between your
cable modem and your machine. You can use Link Logger software to create
logs which can be displayed by incoming, outgoing, both, ip address, port and
many other criteria. Doing so provides you with log records which can be quickly
scanned to determine if activity, such as you describe, is hitting ports other
than your Apache 80 port or whichever port you are using for Apache.

This lack of activity in your Apache logs strongly suggests this is the case;
activity on ports other than port 80 (or other) for Apache.

Linksys (Cisco) BEFSR41 is a fine router for home / light duty usage. It is
programmable in many ways, offers instant security and can be bought on
Ebay for very little, brand new, although a discontinued model. Look for one
with version 3 software or plan to "flash" upgrade to version 3 software.

Buy two; one to use, one for backup.

Link Logger software is dedicated to Linksys routers; works great.

Should you "flash" a router, be sure all machines and your modem are
physically disconnected from your router, save for the machine you use
to flash the router. Flashing a router "can" destroy a cable modem.
I learned this hard way.

Purl Gurl