You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rob De Langhe <ro...@twistfare.be> on 2011/07/01 09:54:49 UTC
[users@httpd] still hacking proxy-attempts accepted by webserver
hi,
despite me disabling the "proxy*" modules from my Apache, I see still occasionally some succesfull hack attempts via my server (code 200) :
125.46.73.7 - - [30/Jun/2011:11:54:09 +0200] "GET http://www.baidu.com/ HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
The loaded modules in my Apache are :
# /usr/apache2/bin/httpd -M | sort
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_dbm_module (shared)
authn_default_module (shared)
authn_file_module (shared)
authz_dbm_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
core_module (static)
dbd_module (shared)
dir_module (shared)
dumpio_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
http_module (static)
include_module (shared)
log_config_module (shared)
logio_module (shared)
mime_module (shared)
mpm_prefork_module (static)
negotiation_module (shared)
php5_module (shared)
setenvif_module (shared)
so_module (static)
ssl_module (shared)
vhost_alias_module (shared)
Can anyone please shed some light on this mystery ?
thx a lot in advance
Rob
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
[users@httpd] SUMMARY:still hacking proxy-attempts accepted by webserver
Posted by Rob De Langhe <ro...@twistfare.be>.
thx to Eric Covener (the sole replier on my mail), he pointed me in the right direction :
Without any 'proxy' modules loaded, I needed to configure a 'honeypot' virtualhost to catch any request that doesn't contain one of my hostnames (like "www.mydomain.be"),[1] and deny access to them all.
By placing this extra virtualhost as the first in the config, it becomes the "default" one.
These are the config lines I added :
<VirtualHost *:80>
ServerName default.only
<Location "/">
order allow,deny
Deny from all
</Location>
</VirtualHost>
works like a charm.
Testing is done with a TELNET to my web server's internal IP address, port 80, and entering the following:
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com
(followed by double newlines)
cheers
Rob
Citeren Rob De Langhe <ro...@twistfare.be>:
> hi,
>
> despite me disabling the "proxy*" modules from my Apache, I see still occasionally some succesfull hack attempts via my server (code 200) :
>
> 125.46.73.7 - - [30/Jun/2011:11:54:09 +0200] "GET http://www.baidu.com/ HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
>
> The loaded modules in my Apache are :
>
> # /usr/apache2/bin/httpd -M | sort
> actions_module (shared)
> alias_module (shared)
> auth_basic_module (shared)
> authn_dbm_module (shared)
> authn_default_module (shared)
> authn_file_module (shared)
> authz_dbm_module (shared)
> authz_default_module (shared)
> authz_groupfile_module (shared)
> authz_host_module (shared)
> authz_user_module (shared)
> autoindex_module (shared)
> cgi_module (shared)
> core_module (static)
> dbd_module (shared)
> dir_module (shared)
> dumpio_module (shared)
> env_module (shared)
> expires_module (shared)
> headers_module (shared)
> http_module (static)
> include_module (shared)
> log_config_module (shared)
> logio_module (shared)
> mime_module (shared)
> mpm_prefork_module (static)
> negotiation_module (shared)
> php5_module (shared)
> setenvif_module (shared)
> so_module (static)
> ssl_module (shared)
> vhost_alias_module (shared)
>
> Can anyone please shed some light on this mystery ?
>
> thx a lot in advance
> Rob
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
Links:
------
[1] http://www.mydomain.be
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: [users@httpd] still hacking proxy-attempts accepted by webserver
Posted by Eric Covener <co...@gmail.com>.
On Fri, Jul 1, 2011 at 3:54 AM, Rob De Langhe
<ro...@twistfare.be> wrote:
> hi,
>
> despite me disabling the "proxy*" modules from my Apache, I see still
> occasionally some succesfull hack attempts via my server (code 200) :
>
> 125.46.73.7 - - [30/Jun/2011:11:54:09 +0200] "GET http://www.baidu.com/
> HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
Apache will serve / out of the default virtualhost for such a request.
If you don't want it to, create a new default (first-listed) vhost to
capture all unlisted hostnames and "deny from all".
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org