Spun new server up...httpd suspected compromise

Hey All,

I had a wordpress site and a drupal site on aws free tier that I moved over to linode yesterday. I've installed a basic lamp stack and nothing else to a centos box. Both are very low traffic sites and last night I got a warning about a cpu spike and looking at my httpd access_log there are ~113000 entries for a single night. Looking at the entries there are a lot of get request to random sites. I'm pretty sure something somewhere is compromised. Where should I start cleaning this up? The most frequent entries were http://godtrck.com. Here is an example:

199.15.112.172 - - [03/May/2013:12:47:50 +0000] "GET http://godtrck.com/?a=5535&oc=1405&c=7983&s1= HTTP/1.0" 404 7078 "https://mail.google.com/mail/?shva=1#in … ecaadcf61d">https://mail.google.com/mail/?shva=1#inbox/13157cecaadcf61d" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; Zune 4.7; InfoPath.3)"

Anyone ever heard of this, am I missing something?

Thanks.

Tanner J.

6 Replies

A little more info:

in /var/log/httpd/error_log I've got ~ 70,000 file does not exist errors scaning all of my /var/www/html/ sub directories. Does this spike in traffic mean I've been compromised or could someone have been just probing my server? Looking at the linode manager I had an hour and a half spike that has now fallen off.

Thanks.

It's possible that someone else had that IP address, previously, and they had an open proxy. Entries in the log of "GET http://other.site" are attempts to use your server as a proxy. The 404 response is your server telling 'em to go away.

If the activity continues then raise a ticket to linode staff asking for a new IP address and explain why.

Okay, I was worried it was my drupal site as I got a lot of errors for missing scripts in that directory. But it turns out that the drupal site is the default when reaching my server by ipaddress. So your scenario makes perfect sense. I'll keep an eye out for this happening again and if it continues I'll request the new ip address. Thanks for the insight and saving me a lot of worry.

Tanner J.

@tannerj:

Okay, I was worried it was my drupal site as I got a lot of errors for missing scripts in that directory. But it turns out that the drupal site is the default when reaching my server by ipaddress. So your scenario makes perfect sense. I'll keep an eye out for this happening again and if it continues I'll request the new ip address. Thanks for the insight and saving me a lot of worry.

Tanner J.

you shouldn't require a new ip address… if it really bothers you that much, just drop the traffic using iptables or something like that

It doesn't bother me, I was worried my system had been compromised. Also, iptables wouldn't work because it seems to be a public proxy…probably from a site listing multiple proxy servers therefore its random traffic. There were mulitple ip addresses so iptables will likely become an exercise in wack-a-mole. Thanks so much for the response though.

You could default to a go away page.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct