I had my raq3 attacked buy a bunch of porn afficinados who have been using it as a open proxy.
In the logs, I see a couple of different things happening: 1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0" 2: There are a million requests for content such as :"GET http://www.porn.com/members/members.shtml HTTP/1.0" There are no suspicious lines in the http config files. Chkrootkit0.36 reports clean. I can't find any .htaccess files. Mod_proxy is compiled into the server by default, but is not obviously enabled anywhere. I've removed all proxying access by adding the following to the access.conf files for the main and admserv processes. <Directory /> <Limit CONNECT> order deny,allow deny from all </Limit> .. </Directory> ProxyRequests Off This is the binary signature: [root@douglas conf]# md5sum /usr/sbin/httpd 02d22d43495bd1a465853844ccba092f /usr/sbin/httpd [root@douglas conf]# ls -l /usr/sbin/httpd -rwxr-xr-x 1 root root 1613740 Jun 24 13:44 /usr/sbin/httpd My questions: Is this perhaps a very bad set of default settings? Or have I had a rootkit applied. Should I be collecting all of the porn username/password/cookie sets I find? Any buyers for it all? eric _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
