Is my server being used as a proxy or is a DOS underway? Lots of traffic in my apache log

apache-2.2 denial-of-service

I have a slice with a hosting provider that has a basic lamp stack setup. I was checking my apache logs today and I'm getting total random (it seems) request to my apache server. For instance, here are two entries:

174.129.95.125 - - [20/Jul/2011:07:28:27 +0000] "GET http://www.czhlk.com/sony/cheng2/error.asp HTTP/1.1" 200 11322 "http://www.baidu.com" "Mozilla/4.0"
117.41.235.133 - - [20/Jul/2011:07:28:29 +0000] "GET http://113.105.144.166:8083/Payrank.php HTTP/1.1" 200 11315 "http://113.105.144.166:8083/Payrank.php" "Mozilla/4.0"

Right now I only have some test php scripts up so I wasn't expecting a lot of traffic but I'm getting several requests a second with entries similar to the one's just posted. The strange thing is that if you look at the url requested in the access log, they are not referencing resources on my machine. I've installed chkrootkit and couldn't find anything. I've also checked the password file and other areas to see if somebody might have hacked me. So far I haven't found anything but I'm not a system admin or anything, just a software developer. Also, all of the http codes in the log are '200' which is strange to me. So how is it that my apache is returning 200 for http requests that aren't requesting anything on my server? I would expect something like this:

98.248.117.137 - - [20/Jul/2011:07:35:03 +0000] "GET /index.php" ....

Not a fully qualified url for completely different sites. What am I missing, sorry if it's a stupid question.

Here is the contents of my mods-available/proxy.conf file, I don't see anything wrong with it so far:

#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.

    ProxyRequests Off

    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
            Deny from all
            #Allow from .example.com
    </Proxy>

    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block

    ProxyVia On


Solution 1:

I'd say that the IP address your hosting provider gave you was previously used as a C&C or distribution node for a botnet, and some malware hasn't got the message that you're no longer carrying that stuff. Unfortunately, there's not a lot you can do about it, other than bugging your provider and saying you want new IPs because this one's tainted. You definitely don't want to keep an IP that's got a history of naughtiness -- chances are it's in all sorts of blacklists (SMTP and otherwise) which will have an adverse effect on your ability to use the server, and those requests are chewing up your traffic allowance (which is costing you money).

The reason why you're getting 200s for all requests is probably because you've got an apache config directive that's rewriting all requests to your index.php. That's why you get the contents of it when you hit the URLs being requested.

Related

How to best optimize an Oracle database for writes?
How to interconnect 2 switches (Cisco/Dell) with trunks
What is a good sendmail log analyzer?
How to hack airport extreme to support USB 3G modem? [closed]
Setting up SSL on apache on linux ubuntu
apache force if url has specific pattern redirect to https [duplicate]
How to setup IP alias on bridged interface in Ubuntu
VSFTPD says "500 OOPS: cannot change directory"
%CPU for a process
EXIM: Relay to Office 365
Does sending e-mail in the name of customers increase the risk of being marked as spammer?
How to recover data from a Windows 2003 Server HP StorageWorks Ultrium 448 Backup via Linux?