2

Recently I noticed my server keeps sending data to strange location "121.11.76.48" by netstat -na .

To find out what it is sending , I tried :

tcpdump -i eth0 host 121.11.76.48 -nnvvXSs 1514

And found it keeps sending HTTP requests to this location :

22:55:21.179353 IP (tos 0x0, ttl 64, id 26103, offset 0, flags [DF], proto: TCP (6), length: 296) 192.168.1.13.58155 > 121.11.76.48.80: P, cksum 0x880b (incorrect (-> 0xd884), 1904784743:1904784999(256) ack 915059568 win 46 0x0000: 4500 0128 65f7 4000 4006 4ce8 c0a8 010d E..(e.@[email protected]..... 0x0010: 790b 4c30 e32b 0050 7188 b567 368a b370 y.L0.+.Pq..g6..p 0x0020: 5018 002e 880b 0000 4745 5420 2f20 4854 P.......GET./.HT 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 0d0a TP/1.1..Host:... 0x0040: 4163 6365 7074 3a20 2a2f 2a0d 0a52 6566 Accept:.*/*..Ref 0x0050: 6572 6572 3a20 6874 7470 3a2f 2f77 7777 erer:.http://www 0x0060: 2e78 6264 796d 2e63 6f6d 2f69 6e64 6578 .xbdym.com/index 0x0070: 2e61 7370 0d0a 4163 6365 7074 2d4c 616e .asp..Accept-Lan 0x0080: 6775 6167 653a 207a 682d 636e 0d0a 4163 guage:.zh-cn..Ac 0x0090: 6365 7074 2d45 6e63 6f64 696e 673a 2067 cept-Encoding:.g 0x00a0: 7a69 702c 2064 6566 6c61 7465 0d0a 5573 zip,.deflate..Us 0x00b0: 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent:.Mozill 0x00c0: 612f 342e 3020 2863 6f6d 7061 7469 626c a/4.0.(compatibl 0x00d0: 653b 204d 5349 4520 362e 303b 2057 696e e;.MSIE.6.0;.Win 0x00e0: 646f 7773 2035 2e31 290d 0a50 7261 676d dows.5.1)..Pragm 0x00f0: 613a 206e 6f2d 6361 6368 650d 0a56 6961 a:.no-cache..Via

Apparently , something in my server keeps sending packets (about one packet/sec) to www.xbdym.com (which is 121.11.76.48) , with IE6 browser !

But , my box is a linux box (CentOS 5.6) , there's no way to run IE6 on it. And I don't have any Windows VM installed.

Then , I use lsof -i to find what process sends the packet! 

httpd 13232 apache 20u IPv4 326404481 TCP 192.168.1.13:48988->121.11.76.48:http (ESTABLISHED)

It is apache ! It's weird , why apache sends packets to this location so frequently ?

I then dig into apache's log and find a lot of records in access_log : 

121.11.80.126 - - [23/Dec/2011:22:58:58 +0800] "GET http://www.xbdym.com HTTP/1.1" 502 495 "http://www.xbdym.com/index.asp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)"

and in rewrite.log : 

121.11.80.126 - - [23/Dec/2011:23:05:57 +0800] [www.xbdym.com/sid#2b1de9435be0][rid#2b1df49d6ad0/initial] (1) pass through proxy:http://www.xbdym.com

Does my server behave as a proxy ? In fact , directly connecting to my server is redirected to my inner java server (set by ProxyPass and ProxyPassReserve) , and I set this :

RewriteEngine On RewriteCond %{HTTP_HOST} ^myserver.com RewriteLog "/home/myserver/log/rewrite.log" RewriteLogLevel 1

There is a "RewriteCond" there , host not starting with 'myserver.com' should not pass ! But how it passes through my proxy !? And , how to stop it !?

Environments :

httpd-2.2.3-53.el5.centos.3 CentOS 5.6 2.6.18-238.12.1.el5xen

-- updated --

my ProxyPass settings :

ProxyPreserveHost on ProxyPass /app http://localhost:8080/app ProxyPassReverse /app http://localhost:8080/app
Improve this question

1 Answer 1

Reset to default
5

A RewriteCond line only affects the next RewriteRule that is processed. It does nothing on its own.

Since there is no RewriteRule following it in the snippet of your config you have given us, my best guess is that the RewriteCond is doing nothing.

A quick change that should block anything not sending the correct Host: header:

RewriteCond %{HTTP_HOST} !^myserver.com RewriteRule - - [F]

Your analysis of what you have seen seems to be correct to me; your Apache is configured as an open relay.

What do your ProxyPass and ProxyPassReverse lines look like ? (I presume you actually wrote ProxyPassReverse in your Apache config and not ProxyPassReserve.)

I noticed the request sent an empty Host: header which is very strange. I suspect your VirtualHost is configured as the default, meaning that it will process all requests, even if the Host: header does not match the ServerName or ServerAlias variables.

There is some advice on how to add an extra, non-proxying default VirtualHost in the Apache wiki. And, for completeness, here's a link to the mod_proxy documentation.

Improve this answer
3
  • Hi , I've added my 'ProxyPassReverse and ProxyPass' settings. And it's true , my virtualHost is configured as the default. Commented Dec 23, 2011 at 15:54
  • 1
    Having never actually used Apache as a forward proxy, I just had a read through that part of the docs. I now suspect you have ProxyRequests On somewhere in your configuration. For a reverse proxy, this should be ProxyRequests Off. Commented Dec 23, 2011 at 16:07
  • Thanks , the Apache wiki ( wiki.apache.org/httpd/ProxyAbuse ) seems helps me. At least , it's not attacked for 20 mins... :) Commented Dec 23, 2011 at 16:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.