You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by er...@firedragon.com on 2002/09/24 19:16:39 UTC
[users@httpd] Could someone tell me what might be going on.
I have a web server set up, and every night the httpd server is
connecting to remote IP's on port 80. I have recieved a fiew nasty-grams
from some site admins about port scanning.
I have made shure that all the info about proxy'ing is commented out of
the httpd.conf, but for some reason it's still happening. I want to
understand if this is a bug, or it's a problem with my configureation.
I'm using apache 1.3.27 (stock Apache from redhat 7.3)
A responce would be REALLY APPRECIATED! Even "did you check"'s!
Eric Petersen
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: secure your network! - Could someone tell me what might be going on.
Posted by "i.t" <i....@ithum.de>.
> msg Dienstag, 24. September 2002 19:41 by Dirk-Willem van Gulik:
> > Check your logs - unless you are hacked - apache will log what
> > happens in the access log.
>
> he's hacked - used as a zombie for ip address spoofing.
> see
> http://www.insecure.org/nmap/idlescan.html
SECURE your server and network!
immediately close ftp and telnet (and make it secure - ssl tunneling), close
login and 514, too.
Find out other ways for users - e.g. DAV - for an upload of user's file to the
server,
and so on...
Interesting ports on firedragon.com (209.161.2.50):
(The 1587 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
52/tcp open xns-time
53/tcp open domain
80/tcp open http
111/tcp open sunrpc
139/tcp open netbios-ssn
443/tcp open https
513/tcp open login
514/tcp open shell
6969/tcp open acmsoda
32771/tcp open sometimes-rpc5
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.024 days (since Tue Sep 24 19:43:49 2002)
--
. ___
| | Irmund Thum
| |
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Could someone tell me what might be going on.
Posted by "i.t" <i....@ithum.de>.
msg Dienstag, 24. September 2002 19:41 by Dirk-Willem van Gulik:
> Check your logs - unless you are hacked - apache will log what
> happens in the access log.
he's hacked - used as a zombie for ip address spoofing.
see
http://www.insecure.org/nmap/idlescan.html
--
. ___
| | Irmund Thum
| |
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Could someone tell me what might be going on.
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
Check your logs - unless you are hacked - apache will log what
happens in the access log.
Remove any proxy statements.
Use lsof, tcpdump or netstat to see what is talking on port 80.
Dw.
On Tue, 24 Sep 2002 ericp@firedragon.com wrote:
> I have a web server set up, and every night the httpd server is
> connecting to remote IP's on port 80. I have recieved a fiew nasty-grams
> from some site admins about port scanning.
>
> I have made shure that all the info about proxy'ing is commented out of
> the httpd.conf, but for some reason it's still happening. I want to
> understand if this is a bug, or it's a problem with my configureation.
>
> I'm using apache 1.3.27 (stock Apache from redhat 7.3)
>
> A responce would be REALLY APPRECIATED! Even "did you check"'s!
>
> Eric Petersen
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org