[CLUE-Tech] Hacking?
Adam Bultman
adamb at glaven.org
Mon Jun 10 10:39:19 MDT 2002
Found the problem.
The Previous admin had enabled mod_proxy on the two apache servers, thus
allowing anyone who set it as a proxy to use it as a non-caching proxy, or
as an anonymizer. I put the kibosh on that, now it's just time to search
the net looking for answers as to whether or not it was advertised on
hacker sites, or whatever.
Adam
--
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]
On Mon, 10 Jun 2002, David Anselmi wrote:
> Adam Bultman wrote:
> >
> > Okay. I think I'm getting hacked, or DDOSed.
> >
> > Here's my symptoms:
> >
> > 1. Lots of requests to my server. I,on my ISDN, can barely keep up with
> > a tcpdump, watching hosts hitting me. I just about peg my bandwidth on my
> > colo if I lave httpd up. www.glaven.org/images/hack2.jpg shows my usage
> > . You can see, it's higher than normal when the attacks started.
> >
> > 2. IF I
> > turn on http,
> > this is what I get: 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "HEAD
> > http://www.spotlife.com/users2/missjaco86/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> > HTTP/1.0" 404 0
> > 24.141.100.20 - - [08/Jun/2002:07:46:47 -0400] "GET
> > http://www.spotlife.com/users2/shellay/webcam;$sessionid$QM3XJGIAAG4JQCQBDYQCFFI/pic/image.jpg?%ts
> > HTTP/1.0" 404 264
>
> You aren't spotlife.com, right? But requests for that site are coming
> to your server. So it seems that DNS is snafu'd somewhere. I can get
> to spotlife.com ok, so it doesn't seem to be a problem with the
> authoritative servers (unless they've been fixed already). If you think
> all the hits are coming from a particular place, perhaps they have a
> cache that is bad.
>
> It is possible that this is malicious (especially if it continues). But
> also possible that it is just bad administration. There seem to be a
> few people running DNS servers that don't know how DNS works.
>
> You can try to block this traffic as far upstream as you can--may not be
> easy, but it's the best way. Will your provider set up the filter for
> you?
>
> > 3. It appears to be happening to both my DNS servers, nothing else. I
> > neglected to mention this earlier. These are my DNS servers. They run
> > httpd because I need the big brother status pages. I *was* running BIND
> > 8.2.3, I believe, but now I'm running 9.1.2 or whatever the newest version
> > is.
>
> Do you have to run httpd to use BB on the DNS servers? Seems to me that
> they could report somewhere else that was running httpd.
>
> Dave
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
More information about the clue-tech
mailing list