[CLUE-Tech] Hacking?

Adam Bultman adamb at glaven.org
Mon Jun 10 10:39:19 MDT 2002 

Found the problem.

The Previous admin had enabled mod_proxy on the two apache servers, thus
allowing anyone who set it as a proxy to use it as a non-caching proxy, or
as an anonymizer.  I put the kibosh on that, now it's just time to search
the net looking for answers as to whether or not it was advertised on
hacker sites, or whatever.

Adam

-- 
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]


On Mon, 10 Jun 2002, David Anselmi wrote:

> Adam Bultman wrote:
> >
> > Okay. I think I'm getting hacked, or DDOSed.
> >
> > Here's my symptoms:
> >
> > 1. Lots of requests to my server.  I,on my ISDN, can barely keep up with
> > a tcpdump, watching hosts hitting me.  I just about peg my bandwidth on my
> > colo if I lave httpd up.   www.glaven.org/images/hack2.jpg shows my usage
> > . You can see, it's higher than normal when the attacks started.
> >
> > 2. IF I
> > turn on http,
> > this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
> > http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> > HTTP/1.0" 404 0
> > 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
> > http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> > HTTP/1.0" 404 264
>
> You aren't spotlife.com, right?  But requests for that site are coming
> to your server.  So it seems that DNS is snafu'd somewhere.  I can get
> to spotlife.com ok, so it doesn't seem to be a problem with the
> authoritative servers (unless they've been fixed already).  If you think
> all the hits are coming from a particular place, perhaps they have a
> cache that is bad.
>
> It is possible that this is malicious (especially if it continues).  But
> also possible that it is just bad administration.  There seem to be a
> few people running DNS servers that don't know how DNS works.
>
> You can try to block this traffic as far upstream as you can--may not be
> easy, but it's the best way.  Will your provider set up the filter for
> you?
>
> > 3.  It appears to be happening to both my DNS servers, nothing else.  I
> > neglected to mention this earlier. These are my DNS servers.  They run
> > httpd because I need the big brother status pages.  I *was* running BIND
> > 8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
> > is.
>
> Do you have to run httpd to use BB on the DNS servers?  Seems to me that
> they could report somewhere else that was running httpd.
>
> Dave
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list