You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by er...@firedragon.com on 2002/09/24 19:16:39 UTC

[users@httpd] Could someone tell me what might be going on.

I have a web server set up, and every night the httpd server is 
connecting to remote IP's on port 80. I have recieved a fiew nasty-grams 
from some site admins about port scanning. 

I have made shure that all the info about proxy'ing is commented out of 
the httpd.conf, but for some reason it's still happening. I want to 
understand if this is a bug, or it's a problem with my configureation.

I'm using apache 1.3.27 (stock Apache from redhat 7.3)

A responce would be REALLY APPRECIATED! Even "did you check"'s!

Eric Petersen


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: secure your network! - Could someone tell me what might be going on.

Posted by "i.t" <i....@ithum.de>.

> msg Dienstag, 24. September 2002 19:41 by Dirk-Willem van Gulik:
> > Check your logs - unless you are hacked - apache will log what
> > happens in the access log.
>
> he's hacked - used as a zombie for ip address spoofing.
> see
> http://www.insecure.org/nmap/idlescan.html

SECURE your server and network!
immediately close ftp and telnet (and make it secure - ssl tunneling), close 
login and 514, too.
Find out other ways for users - e.g. DAV - for an upload of user's file to the 
server,
and so on...

Interesting ports on firedragon.com (209.161.2.50):
(The 1587 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
23/tcp     open        telnet
25/tcp     open        smtp
52/tcp     open        xns-time
53/tcp     open        domain
80/tcp     open        http
111/tcp    open        sunrpc
139/tcp    open        netbios-ssn
443/tcp    open        https
513/tcp    open        login
514/tcp    open        shell
6969/tcp   open        acmsoda
32771/tcp  open        sometimes-rpc5
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.024 days (since Tue Sep 24 19:43:49 2002)

-- 
 . ___
 |  |  Irmund     Thum
 |  |   

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Could someone tell me what might be going on.

Posted by "i.t" <i....@ithum.de>.

msg Dienstag, 24. September 2002 19:41 by Dirk-Willem van Gulik:
> Check your logs - unless you are hacked - apache will log what
> happens in the access log.

he's hacked - used as a zombie for ip address spoofing.
see 
http://www.insecure.org/nmap/idlescan.html
-- 
 . ___
 |  |  Irmund     Thum
 |  |   

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Could someone tell me what might be going on.

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

Check your logs - unless you are hacked - apache will log what
happens in the access log.

Remove any proxy statements.

Use lsof, tcpdump or netstat to see what is talking on port 80.

Dw.


On Tue, 24 Sep 2002 ericp@firedragon.com wrote:

> I have a web server set up, and every night the httpd server is
> connecting to remote IP's on port 80. I have recieved a fiew nasty-grams
> from some site admins about port scanning.
>
> I have made shure that all the info about proxy'ing is commented out of
> the httpd.conf, but for some reason it's still happening. I want to
> understand if this is a bug, or it's a problem with my configureation.
>
> I'm using apache 1.3.27 (stock Apache from redhat 7.3)
>
> A responce would be REALLY APPRECIATED! Even "did you check"'s!
>
> Eric Petersen
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org