[SOLVED] Apache2 compromised

[Corona688]

I should not be seeing things like this in my log.

[DocReedSolomon]

there was probably more than this one line with that address, probably trying to call an exe file?

looks like a compromised win client or bot, fakeing the referer. nothing to worry about, i get those all the time

[Corona688]

The problem is not that he's trying to get yahoo.com through my server. The problem is that HE'S SUCCEEDING. Look at the code -- 200 OK.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html

[DocReedSolomon]

ah. do you have a link to yahoo on your webpage? then he probably clicked that one?

//edit: you do have a link on your webpage to yahoo. so why do you worry if it actually works?
i just clicked it right now on your page, check your log.

[Corona688]

No. No, you didn't. My webserver is DISABLED until I figure out how to stop this. I don't know where you went.

Clicking a link to yahoo.com wouldn't tell my web server anything, besides. The access would go to yahoo. That's what links do. Somebody has been using my web server as a proxy, I think, and I don't know how to disable it.

Any other ideas?
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html

[DocReedSolomon]

hmm, i am talking about http://www.petitiononline.com
it is not disabled, and it does have a link to yahoo.

proxy access wouldnt be in your apache log either, this just btw

[DocReedSolomon]

[Corona688]

That petition is not my web site.

And no, no it doesn't. I just triple-checked, on a different server, to make sure my understanding of web isn't horribly fundamentally wrong:

[DocReedSolomon]

[Corona688]

Found it.

If I'd posted my config file it wouldn't have helped you a bit. I'd already removed the file that enabled my (supposedly extremely limited) proxy in /etc/apache2/modules.d/... The problem was actually in apache2-builtin-mods, where I had to change:

[DocReedSolomon]

nice workaround. even more misconfigured now, though - worked for you
it is really your believe everyone in here changed *that* file and disabled those? ah well..

my money is on commonapache2.conf. looks like you enabled the proxy services there. they are disabled by default, this just btw..
could it not be you enabled them there?

[Corona688]

You really know very little about apache, do you? Pity you're the only one that bothered replying instead of people who might have helped.

The proxy modules are used for... proxy. I don't need them if I no longer want my web server to be a proxy. Now if I'd deleted them to stop them, that would be a workaround, this was just restoring my system to original settings. I had to enable those modules to get the proxy working, I'd quite forgotten about that file. And I didn't just blithely edit the file... I systematically ruled out every apache-related config file in the entire sytem before I resolved to edit the list of modules. I even checked every .htaccess on the system to make sure it wasn't hiding in them. There's literally nowhere else I could disable it.

I haven't modified commonapache.conf since last year. You almost never need to. Most of the relevant changes actually happen in /etc/conf.d/apache2 and /etc/apache2/modules.d the way gentoo has it set up -- you turn on and off defines that control which <IfDefined> statements happen in the apache config files.

No, I did not enable the services in commonapache.conf. I enabled PROXY in /etc/conf.d/apache2 then enabled the necessary modules for it to work. I aso had an /etc/apache2/modules.d/80-proxy file that I made myself that was SUPPOSED to secure it but obviously did not.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html