Board index Unix Web Servers

Apache hacker problem

Apache hacker problem

Post by Barry Come » Fri, 20 Sep 2002 23:17:06



Folks:

I have a web server running trustix 1.5 with all the updates and
Apache 2.0.40. This machine is behind a Linksys router with
port 80 forwarded to the server. The router's outgoing logs
indicate that the web server has connected to several external
machines using ports in the 20k -> 40k range. The router's
incoming logs show that these external machines have connected
to the web server in the past few days.

I have reinstalled the OS and Apache several times with no
solution. The website does not contain any CGI scripts or the
like. Has anyone had this problem and if so what is the solution?

Cheers
Barry

 
 
 
Top

Apache hacker problem

Post by Khayma » Sat, 21 Sep 2002 00:06:35




Quote:> Folks:

> I have a web server running trustix 1.5 with all the updates and
> Apache 2.0.40. This machine is behind a Linksys router with
> port 80 forwarded to the server. The router's outgoing logs
> indicate that the web server has connected to several external
> machines using ports in the 20k -> 40k range. The router's
> incoming logs show that these external machines have connected
> to the web server in the past few days.

> I have reinstalled the OS and Apache several times with no
> solution. The website does not contain any CGI scripts or the
> like. Has anyone had this problem and if so what is the solution?

Try to setup a packetsniffer (ethereal for example) and take a look at this
mysterious traffic.

Khay.

 
 
 
Top

Apache hacker problem

Post by Barry Come » Sat, 21 Sep 2002 01:06:25


Can you recommand a good sniffer? 8-)




> > Folks:

> > I have a web server running trustix 1.5 with all the updates and
> > Apache 2.0.40. This machine is behind a Linksys router with
> > port 80 forwarded to the server. The router's outgoing logs
> > indicate that the web server has connected to several external
> > machines using ports in the 20k -> 40k range. The router's
> > incoming logs show that these external machines have connected
> > to the web server in the past few days.

> > I have reinstalled the OS and Apache several times with no
> > solution. The website does not contain any CGI scripts or the
> > like. Has anyone had this problem and if so what is the solution?

> Try to setup a packetsniffer (ethereal for example) and take a look at
this
> mysterious traffic.

> Khay.

 
 
 
Top

Apache hacker problem

Post by Barry Come » Sat, 21 Sep 2002 01:08:09


I should make it clear that these external boxes connect through
port 80. This indicates that there is something in Apache or the
configuration file that is permitting this to happen.


Quote:> Folks:

> I have a web server running trustix 1.5 with all the updates and
> Apache 2.0.40. This machine is behind a Linksys router with
> port 80 forwarded to the server. The router's outgoing logs
> indicate that the web server has connected to several external
> machines using ports in the 20k -> 40k range. The router's
> incoming logs show that these external machines have connected
> to the web server in the past few days.

> I have reinstalled the OS and Apache several times with no
> solution. The website does not contain any CGI scripts or the
> like. Has anyone had this problem and if so what is the solution?

> Cheers
> Barry

 
 
 
Top

Apache hacker problem

Post by Chris Biltcliff » Sat, 21 Sep 2002 01:25:00


What do your Apache logs say for the connection from the remote machine
to your box?
Is it a standard GET request?  Something wierd?  Or does it list
anything at all?

Chris


> I should make it clear that these external boxes connect through
> port 80. This indicates that there is something in Apache or the
> configuration file that is permitting this to happen.



> > Folks:

> > I have a web server running trustix 1.5 with all the updates and
> > Apache 2.0.40. This machine is behind a Linksys router with
> > port 80 forwarded to the server. The router's outgoing logs
> > indicate that the web server has connected to several external
> > machines using ports in the 20k -> 40k range. The router's
> > incoming logs show that these external machines have connected
> > to the web server in the past few days.

> > I have reinstalled the OS and Apache several times with no
> > solution. The website does not contain any CGI scripts or the
> > like. Has anyone had this problem and if so what is the solution?

> > Cheers
> > Barry

 
 
 
Top

Apache hacker problem

Post by David Efflan » Sat, 21 Sep 2002 11:59:55



> Folks:

> I have a web server running trustix 1.5 with all the updates and
> Apache 2.0.40. This machine is behind a Linksys router with
> port 80 forwarded to the server. The router's outgoing logs
> indicate that the web server has connected to several external
> machines using ports in the 20k -> 40k range. The router's
> incoming logs show that these external machines have connected
> to the web server in the past few days.

> I have reinstalled the OS and Apache several times with no
> solution. The website does not contain any CGI scripts or the
> like. Has anyone had this problem and if so what is the solution?

What makes you think that these are some kind of attack, something in your
logs?  Without further details, it sounds like normal web traffic to me.

Note that although web clients connect to your port 80, the request comes
from a random port > 1024 and the reply goes to that port.  If someone is
behind a firewall or NAT, the request could come from very high ports.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 
Top

Apache hacker problem

Post by Khayma » Sat, 21 Sep 2002 15:23:33






> > Try to setup a packetsniffer (ethereal for example) and take a look at
> this
> > mysterious traffic.

> > Khay.
> Can you recommand a good sniffer? 8-)

Well, I just did - etherreal is quite decent (won't run on dual cpu's
though, be aware)...

But you know, I have the same opinion as David E. - this seems like normal
webtraffic....
Someone is asking for a webpage and gets it delivered...

But I wanted you to notice this, with the help of a sniffer.....

Khay.

 
 
 
Top

1. perl-hacker != c hacker.. Perl5a8+ binary wanted

I may be a perl hacker, but I'm not a c hacker.  And as such, I've
been unable to get perl5a8 to compile, notwithstanding the sexy
new config scripts.  Could someone upload a linux binary,
dynamically linked, to sunsite or tsx or some other publicly-
available archive site?

[p.s.: I know that there's going to be a lot of other required
stuff, like libdld, and libdbm, but hey, just mention it and
leave it to the alpha hackers to straighten out the rest.]


2. Having hard time wearing RED HAT!!!!!!!!

3. Apache hacked - Hackers put mails via invalid URL

4. getting strange numbers while marking text with shift or while changing desktops

5. Apache VH hackers

6. Linux Site Questions

7. Apache question.. Rejecting hackers more vehemently?

8. ATI XPERT XL

9. Possible hacker attempts perhaps to see if Apache will act as Anonymizer?

10. IP_Masq: config problem ou hacker atack?

11. Hacker Problems

12. Possible linux hacker invasion problem -- who knows anything about?

13. IP_Masq config problem x hacker atack?


All times are UTC
Board index