# something

## cyblord

n/aLast edited by cyblord on Tue Jun 24, 2014 7:25 pm; edited 1 time in total

----------

## Mad Merlin

I don't think your Apache logs suggest anything unusual, they look pretty bog standard, I see random IPs scanning for open proxies and common vulnerabilities all the time.

Obviously 800 Mbit of traffic is a fair bit, but I think you'd need to figure out what kind of traffic it was first (ICMP, SSH bruteforcing, etc), that amount of traffic in and of itself doesn't suggest that you've been compromised.

I'm sure I don't need to tell you this, but if you do find good evidence that you've been compromised, don't hesitate to format the box.

----------

## Tekeli Li

The response code 200 for GET on random domains, and CONNECT, does seem to suggest you've got a proxy running. But access times and reported sizes of response do not account for the amount of traffic you're suggesting.

If I were you I'd setup some iptables rules and log all incoming and outgoing traffic, especially SYN packets (limit logging to, say, 1/min). Use netstat --inet (man netstat first) to check active connections.

If your machine has been compromised, you can either try and scan for trojans/rootkits offline (mount from external CD or something, and scan from there), or simply reinstall the machine.

----------

## Mad Merlin

Response code 200 doesn't mean the CONNECT actually went through, look at the response sizes here:

```

"CONNECT 194.109.153.5:11111 HTTP/1.0" 200 326

"GET / HTTP/1.0" 200 326

```

They're both the same (326), that suggests that the CONNECT is just returning /, which is what it usually does if you don't have a proxy running. Try it yourself and see what you get back:

```

telnet devbox 80

CONNECT 195.109.153.5:11111 HTTP/1.0

```

(Note that you need to hit enter twice after the HTTP/1.0.)

----------

## stan666

did you actually open ports 9000 and 11111? Beside this unusual (for a pure webserver) ports I cannot see anything harmful in the logs... but you probably should check for processes using these ports with netstat.

Edit: you could also create a file fith "touch" alter the timestamp of this file to the time the first strage log entry occured and search for files that have been created after this time by invoking "find" with the "-newer <file you've just created>" command

----------

## Mad Merlin

 *stan666 wrote:*   

> did you actually open ports 9000 and 11111? Beside this unusual (for a pure webserver) ports I cannot see anything harmful in the logs... but you probably should check for processes using these ports with netstat.

 

That's not quite how it works.

```
"CONNECT 194.109.153.5:11111 HTTP/1.0"
```

What that means is that the client has connected to Apache (via port 80) and is requesting that Apache connect to 194.109.153.5:11111 on it's behalf, not that the connection to the original poster's Apache instance is on port 11111.

----------

## stan666

@Mad Merlin: If I telnet to my webserver and request port 11111 via "CONNECT" I get a 405 (because I do not run a proxy) on cyblords box I get "Proxy check", but I'm not an apache god (and I do not know cyblords apache config). If I connect directly to port 11111 via telnet to my box, I get "connection refused" (like it should be, because the port is not open) while a telnet to cyblords server at this port is established -> cyblords port 11111 is open and apache accepts the "CONNECT" request (and also returns "Proxy check") -> apache acts like a proxy? If this was my webserver I would be worried   :Shocked:  (I say this, because on a webserver at work we once had a httpd listening to a specific port (I don't exactly remember what port it was), this httpd came in via an XSS attack, so my paranoia level might be a bit higher than yours   :Wink:  )

----------

## malern

 *stan666 wrote:*   

> while a telnet to cyblords server at this port is established

  How are you connecting to cyblords server? Has he told you his ip address? The ip addresses in the logs are only the clients, or the machines they are trying to proxy to. So if you are connecting to one of them then your probably not connecting to cyblords machine.

You're right about apache returning a 405 response for CONNECT requests by default though. It does seem a bit odd that cyblords machine returns 200 unless he's specifically configured it to do that. Might help if he posted his httpd.conf and /etc/conf.d/apache

In any case, if the machine can be retired then my advice would be to retire it. There's no point leaving random machines connected to the net unless they have a purpose, you're bound to run into trouble sooner or later.

----------

## stan666

Sorry guys, I think I should have thought before posting. To be honest, I really thought he was posting his IP, but today I was thinking about it and came to the conclusion that probably nobody is that stupid. I think I have found my issue.

```

stan@zerberus body $ ls -l brain/

total 112K

-rw-rw---- 1 stan stan 100K  0  6. Mai 18:43 apache-knowledge.part

drwxrwx--- 2 stan stan 4,0K  6. Mai 18:43 beer

drwxrwx--- 2 stan stan 4,0K  6. Mai 18:43 music

drwxrwx--- 2 stan stan 4,0K  6. Mai 18:43 stuff

```

I guess I better sit back and learn something...   :Embarassed:   :Embarassed: 

Nevertheless, searching for suspicous files that where changed during the beginning of these attacks might be useful if this server stays online.

----------

