Funny Lines in Access_log
This is a discussion on Funny Lines in Access_log within the Linux Security forums, part of the System Security and Security Related category; Group; I've been running a PPro 200 DEC server for a number of years. O/S is Red Hast ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-16-2006
|
|||
|
|||
Funny Lines in Access_log
Group;
I've been running a PPro 200 DEC server for a number of years. O/S is Red Hast 7.3 with patches. I have a couple of lines in my access_log for httpd i.e. CONNECT irc.chatstop.net:6667 It appears someone is trying to connect thru my machine to that server on port 6667. What is all this about? What will someone gain of they can get thru my machine? Thanks Doug 
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256 Doug Holtz NOSPAM in adress wrote, On 03/16/2006 03:15 AM: > Group; > > I've been running a PPro 200 DEC server for a number of years. O/S is Red > Hast 7.3 with patches. > > I have a couple of lines in my access_log for httpd i.e. CONNECT > irc.chatstop.net:6667 > > It appears someone is trying to connect thru my machine to that server on > port 6667. > > What is all this about? What will someone gain of they can get thru my > machine? > > Thanks > > Doug > > The important thing is how the server responds to it, either a 405 method not allowed or a 301/302 permanent /temporary redirect. the CONNECT method is used to establish a proxy. 6667 is a default IRC (Internet Relay Chat) port. This can be used to remove traces, if someone connects to a botnet for instance, as well as something as trivial as ban evasion from an IRC channel. - -- - ---------------------------- Kristian Fiskerstrand http://www.kfwebs.net - ---------------------------- http://www.secure-my-email.com http://www.secure-my-internet.com http://www.yourblog.in - ---------------------------- Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs (GNU/Linux) Comment: http://www.secure-my-email.com Comment: http://www.secure-my-internet.com iQIVAwUBRBjUSBbgz41rC5UIAQhR2w//RFUOl+QSLNsnRVWqXGgPZ2bMB2Fqeh80 yooPWLTNPnvCAtr2ZRmz6ScM9+ygjRXTNi72hvH8fFK6wzcupn hxgbXH6q50r7uH AT1ZyUZqJy3xDAHrYjo90f056UTbM1or8eIgrNEwEKg9pX6l77 lK18TB81+eTS2A V4eKJ893VF12lHBffCd2/1T5B59GZxzf4L6I9wh3Dr9Hpc43iIqNShFbYhJnV1zQ roZKxIU0k7autAmcxgEOLwynU/2lZ7Jp2KS51pp45NnImsb0oRYsL0tRVSaNXmgQ V9rAxc6i3rQl6KVm35yE3NXZ7RpFwXZiM24PZkb3ecn/jT7O694qb/zPawr+xVfe b4bsTRapl08and0EN+WON6xM8SObkADfn0ijigHSojzLPdPFou N8rLJHI/VUy+kQ kXtMO3Y/Ll8ldwGhSUIV/2LhrDVG6pp1WIP38FrfYiCigTdB84X/W5MvQIg+domB 14lat7s6uCek1ytjmR259J8NutlvcUG9mfoag8oSCF3P3LVQxj 4mH5SRFXmVIC1g WuENkZiyGjARrK74tvzHd0hcIVwJwRHJID4hgX7LcOkXfashMA PGD1oy6FtaGqha GmKBqojGrzkVgn9Xj1sn3ImYat2kljm5w2zqpFu4/Um6iKt5q6NuuQDpJzU6tPUk xLo09hiigQQ= =la78 -----END PGP SIGNATURE-----
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
"Doug Holtz NOSPAM in adress" <dholtzNOSPAM@wi.rr.com> (06-03-16 02:15:05):
> I have a couple of lines in my access_log for httpd i.e. CONNECT > irc.chatstop.net:6667 Those lines show attempts to abuse your machine as a proxy server to connect to the given IRC server. Check the response code in the access log. If it's anything else than 403 (especially if it's 200), then you are in trouble. Don't load the proxy modules, if you don't intend to use them. Remove or comment out all LoadModule lines, which deal with proxies (e.g. proxy_connect_module). > It appears someone is trying to connect thru my machine to that server > on port 6667. Exactly. > What is all this about? What will someone gain of they can get thru > my machine? Simple. On IRC the attacker might have two possible intentions, or both in most cases. They are going to increase their privacy by hiding their real IP address, or they would like to create mass clones. On IRC, most servers do not allow more than two or three connections per IP address (in other words: you can't chat with more than 2/3 nicknames simultaneously -- not directly). For each proxy server an attacker finds, they get another 2/3 connections to the IRC server. Doing this multiple times to create a lot of connections to the network is called 'mass cloning'. This makes some DoS- and brute force attacks against the IRC network or its users possible. Most IRC networks detect such attempts and ban almost all proxied connections automatically. But this is not always the case -- for example if the proxy server is using a non-standard port number, or the open proxy defense package the network uses is unfamiliar with the proxy protocol used. By the way, the default configuration of Apache doesn't let proxied connections pass. Either the proxy functionality is not activated, or you have to authenticate first to use the proxy (a properly configured closed proxy). If this is not the case (i.e. anybody can use the proxy), then it's called an open proxy. In most cases, this indicates failure to configure Apache (or whatever) properly. As said, whether the attempts have succeeded depends on the response code. If they failed, it's 403. If it's anything else, then your host is theoretically exploitable. If it's 200, then it has already been exploited. Regards.
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
On Thu, 16 Mar 2006 02:15:05 GMT, "Doug Holtz NOSPAM in adress" <dholtzNOSPAM@wi.rr.com> wrote:
>Group; > >I've been running a PPro 200 DEC server for a number of years. O/S is Red >Hast 7.3 with patches. > >I have a couple of lines in my access_log for httpd i.e. CONNECT >irc.chatstop.net:6667 > >It appears someone is trying to connect thru my machine to that server on >port 6667. > >What is all this about? What will someone gain of they can get thru my >machine? Proxy connection to services via your machine --> you get blamed for bad stuff 'cos you acting as unwitting proxy. Bad. Redhat 7.3 is well passed its use by date, perhaps an upgrade to some less vulnerable distro? Grant. -- Memory fault -- brain fried
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
"Doug Holtz NOSPAM in adress" <dholtzNOSPAM@wi.rr.com> writes:
>Group; >I've been running a PPro 200 DEC server for a number of years. O/S is Red >Hast 7.3 with patches. >I have a couple of lines in my access_log for httpd i.e. CONNECT >irc.chatstop.net:6667 >It appears someone is trying to connect thru my machine to that server on >port 6667. >What is all this about? What will someone gain of they can get thru my >machine? Anonymity. If they can make the cops think it was you and your machine rather than theirs, guess who goes to jail. Redhat 7.3 is ancient. And completely unsupported. Upgrade.
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
Unruh wrote: > "Doug Holtz NOSPAM in adress" <dholtzNOSPAM@wi.rr.com> writes: > > >>Group; > > >>I've been running a PPro 200 DEC server for a number of years. O/S is Red >>Hast 7.3 with patches. > > >>I have a couple of lines in my access_log for httpd i.e. CONNECT >>irc.chatstop.net:6667 > > >>It appears someone is trying to connect thru my machine to that server on >>port 6667. > > >>What is all this about? What will someone gain of they can get thru my >>machine? > > > Anonymity. If they can make the cops think it was you and your machine > rather than theirs, guess who goes to jail. > > Redhat 7.3 is ancient. And completely unsupported. Upgrade. Yes it'a ancient but you can always find security update because it's a very popular distribution http://download.fedoralegacy.org/red.../updates/i386/ for sample apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006 19:35 540K >
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
Philippe WEILL <Philippe.Weill@aero.jussieu.fr> wrote:
>> Redhat 7.3 is ancient. And completely unsupported. Upgrade. > > Yes it'a ancient but you can always find security update > because it's a very popular distribution > > http://download.fedoralegacy.org/red.../updates/i386/ > for sample > apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006 > 19:35 540K Fedora Legacy does _some_ security coverage for RH 7.3, but it's very spotty. You are strongly advised not to rely on that. Such systems remain, in general, unsafe in 2006. -- Cheers, Rick Moen Support your local medical examiner: Die strangely. rick@linuxmafia.com
|
|
03-16-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
On Thu, 16 Mar 2006 13:14:19 -0500, Rick Moen <rick@linuxmafia.com> wrote:
>Philippe WEILL <Philippe.Weill@aero.jussieu.fr> wrote: > >>> Redhat 7.3 is ancient. And completely unsupported. Upgrade. >> >> Yes it'a ancient but you can always find security update >> because it's a very popular distribution >> >> http://download.fedoralegacy.org/red.../updates/i386/ >> for sample >> apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006 >> 19:35 540K > >Fedora Legacy does _some_ security coverage for RH 7.3, but it's very >spotty. You are strongly advised not to rely on that. Such systems >remain, in general, unsafe in 2006. Sounds like OP is gonna stay in the dark until the cops take away his system for evidence. Some people focus on security only after disaster strikes, prior to that "It cannot happen to me" seems to work. Grant. -- Memory fault -- brain fried
|
|
03-21-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
I set up a new CentOS server on a newer P4 chassis.
Thanks for the reply. Doug "Grant" <bugsplatter@gmail.com> wrote in message news:mjlh12lcah1rmbqs94rac7apa5j773jkre@4ax.com... > On Thu, 16 Mar 2006 02:15:05 GMT, "Doug Holtz NOSPAM in adress" > <dholtzNOSPAM@wi.rr.com> wrote: > >>Group; >> >>I've been running a PPro 200 DEC server for a number of years. O/S is Red >>Hast 7.3 with patches. >> >>I have a couple of lines in my access_log for httpd i.e. CONNECT >>irc.chatstop.net:6667 >> >>It appears someone is trying to connect thru my machine to that server on >>port 6667. >> >>What is all this about? What will someone gain of they can get thru my >>machine? > > Proxy connection to services via your machine --> you get blamed for > bad stuff 'cos you acting as unwitting proxy. Bad. > > Redhat 7.3 is well passed its use by date, perhaps an upgrade to some > less vulnerable distro? > > Grant. > -- > Memory fault -- brain fried
|
|
03-21-2006
|
|||
|
|||
|
Re: Funny Lines in Access_log
Thanks group.
My Red Hat 7.3 with updates is down :( I will think about what to do with it in the future. In the meantime a new CentOS 4.3 is in it's place on a different box. I hope this is secure. I still need to check my logs regarding response codes and will do it soon. Doug "Grant" <bugsplatter@gmail.com> wrote in message news:uokj12dkv97eoahiba3nt56071j80sms5t@4ax.com... > On Thu, 16 Mar 2006 13:14:19 -0500, Rick Moen <rick@linuxmafia.com> wrote: > >>Philippe WEILL <Philippe.Weill@aero.jussieu.fr> wrote: >> >>>> Redhat 7.3 is ancient. And completely unsupported. Upgrade. >>> >>> Yes it'a ancient but you can always find security update >>> because it's a very popular distribution >>> >>> http://download.fedoralegacy.org/red.../updates/i386/ >>> for sample >>> apache-1.3.27-9.legacy.i386.rpm >>> 08-Feb-2006 >>> 19:35 540K >> >>Fedora Legacy does _some_ security coverage for RH 7.3, but it's very >>spotty. You are strongly advised not to rely on that. Such systems >>remain, in general, unsafe in 2006. > > Sounds like OP is gonna stay in the dark until the cops take away his > system for evidence. Some people focus on security only after disaster > strikes, prior to that "It cannot happen to me" seems to work. > > Grant. > -- > Memory fault -- brain fried
|
Linear Mode
