please cc me on replies, as I'm on the digest. >eric wrote: >> I had my raq3 attacked buy a bunch of porn afficinados who >> have been using it as a open proxy.
>Hopefully simply trying to use it. See below: No, succeding. Redlining a t1. Starting on a holiday weekend. Ending on my birthday. Grr. >> In the logs, I see a couple of different things happening: >> >> 1: There are some requests like "CONNECT foo.bar.com:port HTTP/1.0" >> 2: There are a million requests for content such as :"GET >> http://www.porn.com/members/members.shtml HTTP/1.0" >You missed one vital point from your log lines: what is the return code? 200, 302, 400, 503, depending on the connection and if I had firewalled/changed the configuration. >> I've removed all proxying access by adding the following to >> the access.conf files for the main and admserv processes. >Right on, that will disable the CONNECT method. It disables connect, and turns off mod_proxy, which is compiled in. the actual proxying of webpages was the big bandwidth hit. >This follows an interesting discussion on a SecurityFocus mailing list to >which I subscribe, weher people with Apache version < 1.3.26 are seeing >this very frequently. I'd suggest you pop your server's IP address into >Google and see if it turns up anywhere - it could be on an open proxy list, >however mistakenly. It's on 2 of them. So I guess I'm in for a load more of these requests for a while. I saw a ref to this from March of this year, with a big long list of vunerable configs (not including cobalt). So. Can someone with a default configuration Raq3 check to see if this happens with their system? I'd really like to know if this is a systemic problem that I've fixed with the config file changes, or if I have to completely rebuild my raq because there's a backdoor that chkrootkit can't find. eric _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
