Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 10691 invoked from network); 29 Jun 2010 20:53:46 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Jun 2010 20:53:46 -0000 Received: (qmail 91110 invoked by uid 500); 29 Jun 2010 20:53:42 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 90562 invoked by uid 500); 29 Jun 2010 20:53:41 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 90554 invoked by uid 99); 29 Jun 2010 20:53:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Jun 2010 20:53:41 +0000 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of michel@casa.co.cu designates 200.55.135.118 as permitted sender) Received: from [200.55.135.118] (HELO mx.casa.cult.cu) (200.55.135.118) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Jun 2010 20:53:33 +0000 Received: by mx.casa.cult.cu (Postfix, from userid 2002) id 0A09916482B; Tue, 29 Jun 2010 16:38:53 -0400 (CDT) Received: from compaq.casa.cult.cu (compaq.casa.cult.cu [192.168.25.9]) by mx.casa.cult.cu (Postfix) with ESMTP id B6FC5164819 for ; Tue, 29 Jun 2010 16:38:50 -0400 (CDT) Received: from michel.casa.cult.cu (michel.casa.cult.cu [192.168.25.20]) by compaq.casa.cult.cu (Postfix) with ESMTP id D2F53DFE5D for ; Tue, 29 Jun 2010 16:52:12 -0400 (CDT) Message-ID: <4C2A5CFC.6060202@casa.co.cu> Date: Tue, 29 Jun 2010 16:52:12 -0400 From: Michel Bulgado User-Agent: Thunderbird 2.0.0.24 (X11/20100318) MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: multipart/alternative; boundary="------------050201080300080707010808" X-MailScanner: Found to be clean, Found to be clean, Found to be clean X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500000, version=1.2.1 X-Casa-de-las-Americas-MailScanner-ID: 0A09916482B.A6995 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Connection attempts - mod_proxy --------------050201080300080707010808 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello list Using CentOS 5.4 version of apache httpd-2.2.3-31.el5. I have several virtualhost and one of the virtualhost, use mod_proxy to serve a web site I have running on Windows 2003, this server is not available online, it is an internal server. Reviewing the messages I found Logwatch who have tried to use my server through the same mod_proxy to connect to other servers or sites. Connection attempts using mod_proxy: 95.25.10.121 -> 205.188.251.11:443: 1 Time(s) 95.25.10.121 -> 205.188.251.16:443: 1 Time(s) 95.25.10.121 -> 205.188.251.21:443: 1 Time(s) 95.25.10.121 -> 205.188.251.26:443: 1 Time(s) 95.25.10.121 -> 205.188.251.31:443: 1 Time(s) 95.25.10.121 -> 205.188.251.36:443: 1 Time(s) 95.25.10.121 -> 64.12.202.116:443: 1 Time(s) 95.25.10.121 -> 64.12.202.43:443: 1 Time(s) 95.25.10.121 -> 64.12.202.50:443: 1 Time(s) 95.25.45.157 -> 205.188.251.11:443: 2 Time(s) 95.25.45.157 -> 205.188.251.16:443: 2 Time(s) 95.25.45.157 -> 205.188.251.1:443: 2 Time(s) 95.25.45.157 -> 205.188.251.21:443: 2 Time(s) 95.25.45.157 -> 205.188.251.26:443: 2 Time(s) 95.25.45.157 -> 205.188.251.31:443: 2 Time(s) 95.25.45.157 -> 205.188.251.36:443: 2 Time(s) 95.25.45.157 -> 205.188.251.6:443: 2 Time(s) 95.25.45.157 -> 64.12.202.116:443: 3 Time(s) 95.25.45.157 -> 64.12.202.15:443: 2 Time(s) 95.25.45.157 -> 64.12.202.1:443: 2 Time(s) 95.25.45.157 -> 64.12.202.22:443: 2 Time(s) 95.25.45.157 -> 64.12.202.29:443: 2 Time(s) 95.25.45.157 -> 64.12.202.36:443: 2 Time(s) 95.25.45.157 -> 64.12.202.43:443: 3 Time(s) 95.25.45.157 -> 64.12.202.50:443: 3 Time(s) 95.25.45.157 -> 64.12.202.8:443: 2 Time(s) 95.26.235.217 -> 205.188.251.11:443: 2 Time(s) 95.26.235.217 -> 205.188.251.16:443: 2 Time(s) 95.26.235.217 -> 205.188.251.1:443: 2 Time(s) 95.26.235.217 -> 205.188.251.21:443: 2 Time(s) 95.26.235.217 -> 205.188.251.26:443: 2 Time(s) 95.26.235.217 -> 205.188.251.31:443: 2 Time(s) 95.26.235.217 -> 205.188.251.36:443: 1 Time(s) 95.26.235.217 -> 205.188.251.6:443: 2 Time(s) 95.26.235.217 -> 64.12.202.116:443: 1 Time(s) 95.26.235.217 -> 64.12.202.15:443: 2 Time(s) 95.26.235.217 -> 64.12.202.1:443: 2 Time(s) 95.26.235.217 -> 64.12.202.22:443: 2 Time(s) 95.26.235.217 -> 64.12.202.29:443: 2 Time(s) 95.26.235.217 -> 64.12.202.36:443: 2 Time(s) 95.26.235.217 -> 64.12.202.43:443: 1 Time(s) 95.26.235.217 -> 64.12.202.50:443: 1 Time(s) 95.26.235.217 -> 64.12.202.8:443: 2 Time(s) the question is, should I be alarmed, because I fail to interpret if they could use mod_proxy to connect to these sites? There a tool that runs under Linux that allows audit any activity or attempted attack on my apache server? Thanks & Regards --------------050201080300080707010808 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello list

Using CentOS 5.4 version of apache httpd-2.2.3-31.el5. I have several virtualhost and one of the virtualhost, use mod_proxy to serve a web site I have running on Windows 2003, this server is not available online, it is an internal server.

Reviewing the messages I found Logwatch who have tried to use my server through the same mod_proxy to connect to other servers or sites.

Connection attempts using mod_proxy:
    95.25.10.121 -> 205.188.251.11:443: 1 Time(s)
    95.25.10.121 -> 205.188.251.16:443: 1 Time(s)
    95.25.10.121 -> 205.188.251.21:443: 1 Time(s)
    95.25.10.121 -> 205.188.251.26:443: 1 Time(s)
    95.25.10.121 -> 205.188.251.31:443: 1 Time(s)
    95.25.10.121 -> 205.188.251.36:443: 1 Time(s)
    95.25.10.121 -> 64.12.202.116:443: 1 Time(s)
    95.25.10.121 -> 64.12.202.43:443: 1 Time(s)
    95.25.10.121 -> 64.12.202.50:443: 1 Time(s)
    95.25.45.157 -> 205.188.251.11:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.16:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.1:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.21:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.26:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.31:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.36:443: 2 Time(s)
    95.25.45.157 -> 205.188.251.6:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.116:443: 3 Time(s)
    95.25.45.157 -> 64.12.202.15:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.1:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.22:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.29:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.36:443: 2 Time(s)
    95.25.45.157 -> 64.12.202.43:443: 3 Time(s)
    95.25.45.157 -> 64.12.202.50:443: 3 Time(s)
    95.25.45.157 -> 64.12.202.8:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.11:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.16:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.1:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.21:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.26:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.31:443: 2 Time(s)
    95.26.235.217 -> 205.188.251.36:443: 1 Time(s)
    95.26.235.217 -> 205.188.251.6:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.116:443: 1 Time(s)
    95.26.235.217 -> 64.12.202.15:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.1:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.22:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.29:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.36:443: 2 Time(s)
    95.26.235.217 -> 64.12.202.43:443: 1 Time(s)
    95.26.235.217 -> 64.12.202.50:443: 1 Time(s)
    95.26.235.217 -> 64.12.202.8:443: 2 Time(s)

the question is, should I be alarmed, because I fail to interpret if they could use mod_proxy to connect to these sites?

There a tool that runs under Linux that allows audit any activity or attempted attack on my apache server?

Thanks & Regards --------------050201080300080707010808--