Apache 已被入侵或被用作攻击和其他系统的代理
Apache had been compromised or being used as a proxy to attack and other system
我收到来自 Sony Interactive Entertainment LLC ("SIE") 的消息,说我的服务器滥用他们的服务。
我检查并确定:
- 除了我,没有人可以远程访问我的服务器。 SSH 和所有其他服务只接受我的 IP,所有其他服务都被防火墙阻止
- Apache (httpd) 没有被黑客攻击,没有 PHP 并且任何活动脚本都在我的服务器上 运行。
- 所有日志(系统、安全、消息...)为空或没有任何异常
除了我发现的 apache 访问日志:
77.38.177.177 - - [30/Jun/2017:19:21:48 +0000] "CONNECT auth.api.sonyentertainmentnetwork.com:443 HTTP/1.1" 400 226 "-" "-"
138.201.29.228 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.stoiximan.gr:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1409.70 Safari/537.36"
94.122.39.35 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
77.108.80.2 - - [30/Jun/2017:19:20:48 +0000] "CONNECT artiwell.com:443 HTTP/1.1" 200 - "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.bet-at-home.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/17.0.1232.63 Safari/537.36"
77.108.80.2 - - [30/Jun/2017:19:21:48 +0000] "GET http://sea-tools.com.ua/oborudovanie/betonomeshalki/filter/287-k-werk HTTP/1.1" 200 25537 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "GET http://sports.titanbet.com/en/e/5260805/Ansan-Police-v-Ansan-Greeners?mkt_grp_code=TMWIN HTTP/1.1" 200 25023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.604.118 Safari/537.36"
117.1.114.50 - - [30/Jun/2017:19:21:49 +0000] "GET http://static.doubleclick.net/instream/ad_status.js HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.doubleclick.net:443 HTTP/1.0" 200 - "-" "-"
185.71.186.147 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.sportsinteraction.net:443 HTTP/1.1" 200 - "-" "-"
我必须将防火墙设置为拒绝对外部服务器的每个 HTTP 请求以终止该攻击。
我还有一些无法回答的问题是:
- 为什么有人可以使用我的apache 连接到外部服务器?
- 他们怎么做到的?如何在不使用防火墙阻止一切的情况下解决这个问题?
以下是我的 apache 虚拟主机配置:
NameVirtualHost *:80
<Directory "/data/websource">
DirectoryIndex index.html index.php
AllowOverride All
# Allow open access:
Require all granted
</Directory>
<VirtualHost *:80>
ServerName subdomain1.my.domain
DocumentRoot "web_root/subdomain1/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-error.log"
CustomLog "logs/subdomain1-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain2.my.domain
DocumentRoot "web_root/subdomain1/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-admin-error.log"
CustomLog "logs/subdomain1-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain3.my.domain
DocumentRoot "web_root/subdomain3/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-error.log"
CustomLog "logs/subdomain3-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain4.my.domain
DocumentRoot "web_root/subdomain3/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-admin-error.log"
CustomLog "logs/subdomain3-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain5.my.domain
DocumentRoot "web_root/subdomain5/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/release-error.log"
CustomLog "logs/release-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain6.my.domain
DocumentRoot "web_root/subdomain5/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain5-admin-error.log"
CustomLog "logs/subdomain5-admin-access.log" combined
</VirtualHost>
ProxyRequests On
这是你的问题,引自 Apache 的 mod_proxy 文档:
Warning
Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.
我收到来自 Sony Interactive Entertainment LLC ("SIE") 的消息,说我的服务器滥用他们的服务。
我检查并确定:
- 除了我,没有人可以远程访问我的服务器。 SSH 和所有其他服务只接受我的 IP,所有其他服务都被防火墙阻止
- Apache (httpd) 没有被黑客攻击,没有 PHP 并且任何活动脚本都在我的服务器上 运行。
- 所有日志(系统、安全、消息...)为空或没有任何异常
除了我发现的 apache 访问日志:
77.38.177.177 - - [30/Jun/2017:19:21:48 +0000] "CONNECT auth.api.sonyentertainmentnetwork.com:443 HTTP/1.1" 400 226 "-" "-"
138.201.29.228 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.stoiximan.gr:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1409.70 Safari/537.36"
94.122.39.35 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
77.108.80.2 - - [30/Jun/2017:19:20:48 +0000] "CONNECT artiwell.com:443 HTTP/1.1" 200 - "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.bet-at-home.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/17.0.1232.63 Safari/537.36"
77.108.80.2 - - [30/Jun/2017:19:21:48 +0000] "GET http://sea-tools.com.ua/oborudovanie/betonomeshalki/filter/287-k-werk HTTP/1.1" 200 25537 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "GET http://sports.titanbet.com/en/e/5260805/Ansan-Police-v-Ansan-Greeners?mkt_grp_code=TMWIN HTTP/1.1" 200 25023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.604.118 Safari/537.36"
117.1.114.50 - - [30/Jun/2017:19:21:49 +0000] "GET http://static.doubleclick.net/instream/ad_status.js HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.doubleclick.net:443 HTTP/1.0" 200 - "-" "-"
185.71.186.147 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.sportsinteraction.net:443 HTTP/1.1" 200 - "-" "-"
我必须将防火墙设置为拒绝对外部服务器的每个 HTTP 请求以终止该攻击。
我还有一些无法回答的问题是:
- 为什么有人可以使用我的apache 连接到外部服务器?
- 他们怎么做到的?如何在不使用防火墙阻止一切的情况下解决这个问题?
以下是我的 apache 虚拟主机配置:
NameVirtualHost *:80
<Directory "/data/websource">
DirectoryIndex index.html index.php
AllowOverride All
# Allow open access:
Require all granted
</Directory>
<VirtualHost *:80>
ServerName subdomain1.my.domain
DocumentRoot "web_root/subdomain1/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-error.log"
CustomLog "logs/subdomain1-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain2.my.domain
DocumentRoot "web_root/subdomain1/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-admin-error.log"
CustomLog "logs/subdomain1-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain3.my.domain
DocumentRoot "web_root/subdomain3/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-error.log"
CustomLog "logs/subdomain3-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain4.my.domain
DocumentRoot "web_root/subdomain3/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-admin-error.log"
CustomLog "logs/subdomain3-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain5.my.domain
DocumentRoot "web_root/subdomain5/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/release-error.log"
CustomLog "logs/release-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain6.my.domain
DocumentRoot "web_root/subdomain5/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain5-admin-error.log"
CustomLog "logs/subdomain5-admin-access.log" combined
</VirtualHost>
ProxyRequests On
这是你的问题,引自 Apache 的 mod_proxy 文档:
Warning
Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.