You are invited to Log in or Register a free Frihost Account! for this exploit

I had to rebuild my website a few days ago. It sits on a redhat/centos VPS so I did the usual stuff - cleaned it up and rpm'd mysqld, php, Apache etc etc. Restored the site data and was back up, no problem (I thought).

Yesterday the site was running slow, but I figured it was my connection and didn't bother checking at that time. Today it was slower still, so I decided I needed to check it out.
When I looked at the Apache logs I saw thousands of get requests to "" coming from hosts that I tracked back mainly to California (but they could have been anywhere of course). I knew, of course, that something was badly wrong.

What I had not realised is this (and I bet most readers know this already, but if not then you really need to know)....if you do a clean install of Apache from rpm (or yum) on Centos/Redhat, the configuration is pre-set with all the mod-proxy modules set and open. Your server is then wide-open for proxy requests and the bad-guys simply use it at will....

It is my own stupid fault for not checking at the time - I was rushing to get the site back and dashed through the httpd.conf file without really checking properly.
So now my server was effectively an open proxy and serving thousands of requests to porn sites and other nasties.....

The solution is of course simple. Disable the modules altogether if not needed, and if you DO need proxying on the server then change the default config for proxying (in /etc/httpd/conf/httpd.conf) as follows:

### the following is ON by default - turn it OFF unless you have a good reason:
ProxyRequests Off
###The following is set to Allow from ALL by default - change it to allow only from localhost unless
###you have a good reason - as follows:
Order deny,allow
Deny from all
Allow from
###ProxyVia is set ON by default - turn it OFF unless you have a damned good reason.
ProxyVia Off
# End of proxy directives.

That will sort it, but be aware that having been compromised, the requests will keep coming for a day or two - even though the server is now bouncing 404s at the clients.

Omg, how can Apache come with this default configuration? Confused

Im using lighttpd on my server, does it comes with the same? I think it doesnt
Related topics
Best Sport to Watch
Mercedes MP3 Watch
Watch out for themselves
Did anyone watch "Land of the Dead" yet?
watch sports 4 babes?
som1 here watch the tv show Naruto?
POP UP Blocking Software
Freedom of speech? Sure! Just watch what you say!
Do you watch your topics for replies?
how often do you watch music channels.
which series do you watch ??
Do you watch "top modelis"?
American Idol
Reply to topic    Frihost Forum Index -> Webmaster and Internet -> Design Tips

© 2005-2011 Frihost, forums powered by phpBB.