Squid showed up on port 8080. Possible Rootkit?

Question

I recently attempted to connect to my EC2 server on 8080 and had some strange issues that weren't occurring earlier.

NGinx (though setup for :81) captures any requests on port 8080.

If I stop nginx,

I get a "Connection Refused" message from a Squid Proxy I definitely didn't install myself, and don't recall seeing before.

I'm attempting run a simple Pyramid app on 8080, but the squid proxy seems to be catching all the requests. There don't seem to be any squid processes showing up in netstat, and I can't find a configuration file in /etc/squid, so I'm worried this might be a rootkit.

Should I try to uninstall squid somehow or scrap the server?

It sounds like the Squid process is a transparent proxy either on your local network or at your ISP. Using `tcpdump` on either your server or your home machine should help you find it. Running `sudo netstat -tlnp` on your server should as well. — Ladadadada, Jan 07 '13 at 07:15
I forgot to mention I'm on ec2, and I've been unable to find any info that ec2 has squid by default. The message also goes away when I stop the server, which rules out any Amazon caching I would think. I'll check out what you recommend later tomorrow and see if I can find it there. — GuyNoir, Jan 07 '13 at 07:20
It's pretty unlikely that this is a legitimate proxy. No competent sys admin runs a proxy as root. If I had to guess, someone probably compromised your instance, installed Squid, and is using it to hide their tracks as they swap stolen credit card info or child porn. It's not a rootkit though. Terminate the instance and have someone who knows what they're doing set up a new one. — jamieb, Jan 09 '13 at 05:24
Just had my key refused when ssh'ing so I'm pretty sure you're correct, and I'm going to go ahead and nuke it. Do you have any recommendations for guides or some way to learn the proper methods for setting up a secure server? — GuyNoir, Jan 09 '13 at 05:28
Scratch that, just booted up a completely fresh Amazon EC2 instance on the default Ubuntu AMI, and I'm still getting the same on 8080. Definitely not a rootkit then, and probably an Amazon thing. I'll keep searching. — GuyNoir, Jan 10 '13 at 02:39

score 1 · Answer 1 · answered Jan 07 '13 at 07:37

1

The issue is not at all with the remote/EC2 server.

So, and overview of the normal process of communications between your machine and the EC2 machine goes like this:

First the packet goes from your machine to your gateway ---> then the packet goes from your gateway to the destination machine ---> then to the destination port of the destination Machine.

Over here, your gateway seems to be a Squid Proxy. So, when your packet for port 8080 is sent to the EC2 server, then the squid proxy first fetches the data from the EC2 server on your basis and then send you the reply.

But when there is nothing running on 8080 port of the destination/EC2 machine, then the squid proxy is getting connection refused, and then sending your the result. It's just that it also adds the footer that the result is coming from squid proxy, which is confusing you.

Check with your network administrator and he will confirm the same.

Simply run the application which you want to run on EC2 machine, and when it's working, you won't be getting this error.

answered Jan 07 '13 at 07:37

Napster_X

3,333
16
20

That's what I first thought (that it might be some caching done by Amazon), however, even when I have something on 8080 listening (verified through netstat), I still get the squid proxy. Additionally, I find it strange that the error appears on 8080, but not 80, 81 or any others which I've used before. – GuyNoir Jan 08 '13 at 04:11
Hmm ... that's weird ... let me see if I can think of any other possible reason – Napster_X Jan 08 '13 at 06:09
Hmmm, well the sever just refused my key, so at this point I'm just going to nuke it. Thanks for the help. – GuyNoir Jan 09 '13 at 05:26
Booted up a clean instance, and low and behold, I get the same message! I've tried two computers, so it's not on my end, so I'm assuming it's something with amazon's setup. – GuyNoir Jan 10 '13 at 02:39
That's really weird. As I work with AWS a lot, and never seen anything like this. You must be running something in your Instance. May be you should try changing your AMI from which you create your instance. – Napster_X Jan 10 '13 at 05:54
Looks like it wasn't an issue with AWS after all, thanks for all the help! – GuyNoir Jan 10 '13 at 15:33
Sure. Though would be great if you can share about your findings. I might face the same in future :) – Napster_X Jan 10 '13 at 17:35

score 1 · Accepted Answer · answered Jan 10 '13 at 03:07

1

Turns out it was a network proxy on the hotel's wifi (I'm currently traveling). For whatever reason, it must block port 8080 on certain connections. I asked my friend to test it out, and everything looks good on his end.

Glad I don't have a rootkit, though all other signs in this position definitely pointed to one.

answered Jan 10 '13 at 03:07

GuyNoir

153
3
9

If this solved your problem, you should accept it. – msanford Jan 10 '13 at 03:11
A netstat -ntlp would have confirmed which software was listening on port 8080. – Sameer Jan 10 '13 at 04:29
1

@msanford: Had to wait a time-period before accepting my own. – GuyNoir Jan 10 '13 at 15:31
1

@Sameer: I did that, and actually had processes listening on that port. It just happened that the router was blocking the traffic from the start. – GuyNoir Jan 10 '13 at 15:32

Squid showed up on port 8080. Possible Rootkit?

2 Answers2