1

We were under attack for 2 days, our server used Ubuntu 16 and Apache 2.4.18. The attacker used our server as a forward proxy server.

We used mod_rewrite and mod_proxy (with ProxyRequests 'Off'). After we update to Ubuntu 20 and Apache 2.4.48 the attacker can't use his exploit anymore.

What kind of vulnerability did he use? Is there anybody here who experience same hacking?

The apache logs was the following

error.logs:

[client 5.9.122.157:47818] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:14.850035 2022] [proxy:warn] [pid 27763:tid 140269403993856] [client 116.202.156.56:54296] AH01144: No protocol handler was valid for the URL www.xt-exchange.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:14.878971 2022] [proxy:warn] [pid 27824:tid 140269294888704] [client 144.76.62.120:33844] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:14.938249 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.239.78:56474] AH01144: No protocol handler was valid for the URL www.diangon.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:14.956530 2022] [ssl:error] [pid 27853:tid 140269336852224] [remote 64.70.194.123:443] AH01961: SSL Proxy requested for content.mrkresz.hu:80 but not enabled [Hint: SSLProxyEngine]
[Wed Sep 14 06:32:14.956578 2022] [proxy:error] [pid 27853:tid 140269336852224] AH00961: HTTPS: failed to enable ssl support for 64.70.194.123:443 (www.gocamsolar.com)
[Wed Sep 14 06:32:14.996790 2022] [proxy:error] [pid 27795:tid 140269336852224] (110)Connection timed out: AH00957: HTTP: attempt to connect to 156.241.133.235:80 (*) failed
[Wed Sep 14 06:32:14.996847 2022] [proxy_http:error] [pid 27795:tid 140269336852224] [client 162.55.235.119:47054] AH01114: HTTP: failed to make connection to backend: 156.241.133.235
[Wed Sep 14 06:32:15.036009 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 195.201.207.235:50394] AH01144: No protocol handler was valid for the URL rvzqo.lncredlbiedate.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.074333 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 5.9.122.157:47950] AH01144: No protocol handler was valid for the URL www.webamooz.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.079432 2022] [proxy:warn] [pid 27795:tid 140269336852224] [client 195.201.199.120:39954] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.129524 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 162.55.232.113:56058] AH01144: No protocol handler was valid for the URL www.xt-exchange.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.162938 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 144.76.62.120:47656] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.181328 2022] [proxy:warn] [pid 27795:tid 140269336852224] [client 195.201.199.120:37680] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.215050 2022] [proxy:warn] [pid 27795:tid 140269395601152] [client 195.201.198.228:48516] AH01144: No protocol handler was valid for the URL www.twinword.co.kr:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.253555 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.232.113:60474] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.263634 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.232.112:42622] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.340222 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 116.202.157.229:46482] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.421054 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 5.9.117.121:35116] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.440183 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 195.201.198.228:34390] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.480238 2022] [proxy:warn] [pid 27795:tid 140269336852224] [client 176.9.19.26:47918] AH01144: No protocol handler was valid for the URL www.xt-exchange.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.498040 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 142.132.135.111:58626] AH01144: No protocol handler was valid for the URL www.twinword.co.kr:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.519968 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 144.76.62.120:38428] AH01144: No protocol handler was valid for the URL www.webamooz.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.593118 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.232.75:48800] AH01144: No protocol handler was valid for the URL www.twinword.co.kr:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.636758 2022] [proxy:error] [pid 27795:tid 140269311674112] (110)Connection timed out: AH00957: HTTP: attempt to connect to 156.241.133.235:80 (*) failed
[Wed Sep 14 06:32:15.636833 2022] [proxy_http:error] [pid 27795:tid 140269311674112] [client 162.55.235.119:33664] AH01114: HTTP: failed to make connection to backend: 156.241.133.235
[Wed Sep 14 06:32:15.645854 2022] [proxy:warn] [pid 27824:tid 140269378815744] [client 142.132.222.236:54960] AH01144: No protocol handler was valid for the URL m.e99w.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.649103 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 144.76.62.120:35506] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.670919 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.232.71:33986] AH01144: No protocol handler was valid for the URL www.webamooz.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.717377 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 46.4.18.84:56632] AH01144: No protocol handler was valid for the URL www.xt-exchange.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.724049 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 144.76.62.120:49190] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.733926 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 46.4.113.183:57728] AH01144: No protocol handler was valid for the URL www.valforex.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.803581 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 162.55.235.119:39914] AH01144: No protocol handler was valid for the URL www.diangon.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.825944 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 162.55.232.75:55224] AH01144: No protocol handler was valid for the URL www.hedleyonline.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.872028 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 195.201.198.228:57452] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.892751 2022] [proxy:error] [pid 27824:tid 140269395601152] (110)Connection timed out: AH00957: HTTP: attempt to connect to 156.241.133.235:80 (*) failed
[Wed Sep 14 06:32:15.892817 2022] [proxy_http:error] [pid 27824:tid 140269395601152] [client 142.132.222.236:48836] AH01114: HTTP: failed to make connection to backend: 156.241.133.235
[Wed Sep 14 06:32:15.974813 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 178.63.41.226:34324] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:15.994589 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 116.202.220.248:33176] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:16.003835 2022] [proxy:warn] [pid 27731:tid 140269462742784] [client 46.4.18.84:36608] AH01144: No protocol handler was valid for the URL www.webamooz.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:16.049902 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 5.9.122.157:48036] AH01144: No protocol handler was valid for the URL tx.jinjiasvip.xyz:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:16.066833 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 195.201.207.235:39196] AH01144: No protocol handler was valid for the URL www.xtcoiwap.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:16.119781 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 142.132.135.111:45048] AH01144: No protocol handler was valid for the URL www.valforex.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Sep 14 06:32:16.152864 2022] [proxy:warn] [pid 27881:tid 140269362030336] [client 142.132.135.111:50684] AH01144: No protocol handler was valid for the URL www.twinword.co.kr:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

vhost access log:

content.mrkresz.hu:80 5.9.122.157 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 195.201.207.235 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.youjiashangcheng.com:443 HTTP/1.1" 500 814 "-" "-"
content.mrkresz.hu:80 116.202.156.56 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 46.4.18.84 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 5.9.122.157 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 46.4.116.179 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 142.132.135.111 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.diangon.com:443 HTTP/1.1" 500 805 "-" "-"
content.mrkresz.hu:80 116.202.157.229 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 142.132.135.111 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.valforex.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 142.132.135.111 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.diangon.com:443 HTTP/1.1" 500 805 "-" "-"
content.mrkresz.hu:80 5.9.122.157 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 162.55.232.113 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 46.4.116.179 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 142.132.222.236 - - [14/Sep/2022:06:26:57 +0200] "CONNECT yingbb99.com:443 HTTP/1.1" 500 802 "-" "-"
content.mrkresz.hu:80 162.55.232.112 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 162.55.232.71 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 5.9.122.157 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 195.201.199.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 46.4.113.183 - - [14/Sep/2022:06:26:57 +0200] "CONNECT 301.gwf301.com:8080:8080 HTTP/1.1" 400 0 "-" "-"
content.mrkresz.hu:80 46.4.113.183 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.valforex.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 142.132.135.111 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.twinword.co.kr:443 HTTP/1.1" 500 808 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 162.55.232.71 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 5.9.117.121 - - [14/Sep/2022:06:26:57 +0200] "CONNECT 301.gwf301.com:8080:443 HTTP/1.1" 400 0 "-" "-"
content.mrkresz.hu:80 195.201.198.228 - - [14/Sep/2022:06:26:57 +0200] "CONNECT yingbb99.com:443 HTTP/1.1" 500 802 "-" "-"
content.mrkresz.hu:80 162.55.102.254 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.hedleyonline.com:443 HTTP/1.1" 500 810 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 46.4.113.183 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT allfloridatinting.com:443 HTTP/1.1" 500 811 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xt-exchange.com:443 HTTP/1.1" 500 809 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 178.63.41.226 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 162.55.239.78 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.diangon.com:443 HTTP/1.1" 500 805 "-" "-"
content.mrkresz.hu:80 116.202.157.229 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 116.202.156.56 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.hedleyonline.com:443 HTTP/1.1" 500 810 "-" "-"
content.mrkresz.hu:80 195.201.198.228 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.webamooz.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 144.76.62.120 - - [14/Sep/2022:06:26:57 +0200] "CONNECT www.xtcoiwap.com:443 HTTP/1.1" 500 806 "-" "-"
content.mrkresz.hu:80 162.55.232.112 - - [14/Sep/2022:06:26:57 +0200] "CONNECT 301.gwf301.com:8080:8080 HTTP/1.1" 400 0 "-" "-"

Of course, this logs just a small part of a giant 60Gb log, but all lines similar to these.

D.Bence
  • 11
  • 2
  • ubuntu 16 is EOL update it – djdomi Sep 15 '22 at 17:16
  • Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – djdomi Sep 15 '22 at 17:16
  • No, the answer was what kind of vulnerabilities did he used. As I wrote we updated our servers. – D.Bence Sep 15 '22 at 17:18
  • Old software that has no update... has bugs and Ubuntu [confirmed](https://ubuntu.com/security/notices/USN-5212-2) this – djdomi Sep 15 '22 at 17:21
  • I found this: https://ubuntu.com/security/CVE-2021-44224, but it says that only works with forward proxy mode. What is really interesting is that, we completely disable proxy mod, and the attacker still use our server "as a proxy". So maybe mod_rewrite is involved. What do you think? – D.Bence Sep 15 '22 at 17:24
  • aslong as you do not provide enough information to investigate, we can't provide help. – djdomi Sep 16 '22 at 04:23

0 Answers0