2

Recently I noticed my server keeps sending data to strange location "121.11.76.48" by netstat -na .

To find out what it is sending , I tried :

tcpdump -i eth0 host 121.11.76.48 -nnvvXSs 1514

And found it keeps sending HTTP requests to this location :

22:55:21.179353 IP (tos 0x0, ttl  64, id 26103, offset 0, flags [DF], proto: TCP (6), length: 296) 192.168.1.13.58155 > 121.11.76.48.80: P, cksum 0x880b (incorrect (-> 0xd884), 1904784743:1904784999(256) ack 915059568 win 46
    0x0000:  4500 0128 65f7 4000 4006 4ce8 c0a8 010d  E..(e.@.@.L.....
    0x0010:  790b 4c30 e32b 0050 7188 b567 368a b370  y.L0.+.Pq..g6..p
    0x0020:  5018 002e 880b 0000 4745 5420 2f20 4854  P.......GET./.HT
    0x0030:  5450 2f31 2e31 0d0a 486f 7374 3a20 0d0a  TP/1.1..Host:...
    0x0040:  4163 6365 7074 3a20 2a2f 2a0d 0a52 6566  Accept:.*/*..Ref
    0x0050:  6572 6572 3a20 6874 7470 3a2f 2f77 7777  erer:.http://www
    0x0060:  2e78 6264 796d 2e63 6f6d 2f69 6e64 6578  .xbdym.com/index
    0x0070:  2e61 7370 0d0a 4163 6365 7074 2d4c 616e  .asp..Accept-Lan
    0x0080:  6775 6167 653a 207a 682d 636e 0d0a 4163  guage:.zh-cn..Ac
    0x0090:  6365 7074 2d45 6e63 6f64 696e 673a 2067  cept-Encoding:.g
    0x00a0:  7a69 702c 2064 6566 6c61 7465 0d0a 5573  zip,.deflate..Us
    0x00b0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
    0x00c0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
    0x00d0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
    0x00e0:  646f 7773 2035 2e31 290d 0a50 7261 676d  dows.5.1)..Pragm
    0x00f0:  613a 206e 6f2d 6361 6368 650d 0a56 6961  a:.no-cache..Via

Apparently , something in my server keeps sending packets (about one packet/sec) to www.xbdym.com (which is 121.11.76.48) , with IE6 browser !

But , my box is a linux box (CentOS 5.6) , there's no way to run IE6 on it. And I don't have any Windows VM installed.

Then , I use lsof -i to find what process sends the packet! 

httpd   13232 apache   20u  IPv4 326404481       TCP 192.168.1.13:48988->121.11.76.48:http (ESTABLISHED)

It is apache ! It's weird , why apache sends packets to this location so frequently ?

I then dig into apache's log and find a lot of records in access_log : 

121.11.80.126 - - [23/Dec/2011:22:58:58 +0800] "GET http://www.xbdym.com HTTP/1.1" 502 495 "http://www.xbdym.com/index.asp"
 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)"

and in rewrite.log : 

121.11.80.126 - - [23/Dec/2011:23:05:57 +0800] [www.xbdym.com/sid#2b1de9435be0][rid#2b1df49d6ad0/initial] (1) pass through proxy:http://www.xbdym.com

Does my server behave as a proxy ? In fact , directly connecting to my server is redirected to my inner java server (set by ProxyPass and ProxyPassReserve) , and I set this :

RewriteEngine On 
RewriteCond %{HTTP_HOST} ^myserver.com
RewriteLog "/home/myserver/log/rewrite.log"
RewriteLogLevel 1

There is a "RewriteCond" there , host not starting with 'myserver.com' should not pass ! But how it passes through my proxy !? And , how to stop it !?

Environments :

httpd-2.2.3-53.el5.centos.3
CentOS 5.6
2.6.18-238.12.1.el5xen

-- updated --

my ProxyPass settings :

ProxyPreserveHost on
ProxyPass        /app http://localhost:8080/app
ProxyPassReverse /app http://localhost:8080/app
Ladadadada
  • 25,847
  • 7
  • 57
  • 90
smallufo
  • 199
  • 2
  • 8

1 Answers1

5

A RewriteCond line only affects the next RewriteRule that is processed. It does nothing on its own.

Since there is no RewriteRule following it in the snippet of your config you have given us, my best guess is that the RewriteCond is doing nothing.

A quick change that should block anything not sending the correct Host: header:

RewriteCond %{HTTP_HOST} !^myserver.com
RewriteRule - - [F]

Your analysis of what you have seen seems to be correct to me; your Apache is configured as an open relay.

What do your ProxyPass and ProxyPassReverse lines look like ? (I presume you actually wrote ProxyPassReverse in your Apache config and not ProxyPassReserve.)

I noticed the request sent an empty Host: header which is very strange. I suspect your VirtualHost is configured as the default, meaning that it will process all requests, even if the Host: header does not match the ServerName or ServerAlias variables.

There is some advice on how to add an extra, non-proxying default VirtualHost in the Apache wiki. And, for completeness, here's a link to the mod_proxy documentation.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • Hi , I've added my 'ProxyPassReverse and ProxyPass' settings. And it's true , my virtualHost is configured as the default. – smallufo Dec 23 '11 at 15:54
  • 1
    Having never actually used Apache as a forward proxy, I just had a read through that part of the docs. I now suspect you have `ProxyRequests On` somewhere in your configuration. For a reverse proxy, this should be `ProxyRequests Off`. – Ladadadada Dec 23 '11 at 16:07
  • Thanks , the Apache wiki ( http://wiki.apache.org/httpd/ProxyAbuse ) seems helps me. At least , it's not attacked for 20 mins... :) – smallufo Dec 23 '11 at 16:28