Hi, At the risk of starting a thread that won't die... :^)
A few weeks ago, I noticed in my apache logs that someone was using my web site to proxy their browsing. This was briefly discussed here: Mar 10, see thread: > [expert] Fw: RE: Apache 1.3.x allows passthrough http://www.mail-archive.com/expert%40linux-mandrake.com/thrd5.html#50886 Apr 21: > Sidebar: a while back, I started seeing a hacker using my web site to > hide his/her activities. Today, the packets continue (even if > unproductive due to my HoneyPort); but the emerging pattern is that > someone may be trying to boost "click-through" counts to affect > advertising charges... If anyone is seeing packets from 211.154.65.144, > I'd be interested in getting some info from you... If you are running a web server, please check your /var/log/httpd/access_log for lines that look like this: GET http://...... HTTP/1.x If, like me, you had/have proxying active and were successfully abused by this scumbag, you will be on a permanent list and will not be able to stop these probes... Even going silent via iptables does not stop the probing. So far, I've tracked the machine to somewhere in Asia Pacific (China?), so counter-offensives are likely my only option. I've been trying to find ways to respond which might give the attacker some grief... if anyone has any ideas on how to croak a remote box that is only listening to ports it opened, I'm interested... I've tried using the anti-{CodeRed,Nimda} responses. It seems that the more I give it responses, the more it tries... (again, silence does not stop the attack) The last attempt was to overflow its buffers and the probes stopped for an hour... though they've resumed. So far, I can flood the attacker up to his window size of 17520. Guess it's time to hunt down the old smurf code and modify it to "beacon" the idiot... Pierre
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
