I have an old computer I use just to serve up some files. its running xp-sp2 with all patches, zonealarm, apache 2.0.52 and php 4.3.9. it sits behind a standard router with nat on port 80.
yesterday I logged in via remote desktop to grab a file. I zipped it and put it in the htdocs folder so i could download it. then by chance I happened to browse the apache logs. I saw that right after I downloaded the file (that I just put on the server), some other ip downloaded it also. Looking at the logs I see this ip has done that a few times and has also looked at some pics and files I have on there.
here's part of the log:
my ip. - - - - - - [22/Apr/2006:19:50:32 -0400] "GET /12345.zip HTTP/1.1" 200 689683
65.160.238.180 - - [22/Apr/2006:19:50:32 -0400] "GET /12345.zip HTTP/1.1" 200 689683
the machine isnt used for anything else, although on occasion I have logged in so I can webbrowse to sites that I cant get to at work. when I do that I use portable firefox thats on the machine.
I havent had time to go physically access the machine and run a virus scan.
so, is this box hackd? trojan? virii? apache/php hackd?
my webserver hacked?
Look at the times, the other IP appears to be downloading at exactly the same time that you are (however you did say that the same IP downloaded the file multiple times, later on)
This makes me think that the IP could be tied to your ISP in some way, or part of the network system you were using to download the file, some clever load balancing proxy or something.
How was the file password protected? htaccess password protection, or some clever PHP system? or a ruleset in your router's nat firewall (or zonealarm?)
Hope this helps a bit.
This makes me think that the IP could be tied to your ISP in some way, or part of the network system you were using to download the file, some clever load balancing proxy or something.
How was the file password protected? htaccess password protection, or some clever PHP system? or a ruleset in your router's nat firewall (or zonealarm?)
Hope this helps a bit.
-
Underpants?
- Posts: 4755
- Joined: Mon Oct 22, 2001 7:00 am
i'f i'm not mistaken, that IP is in the RIPE range, which should always be in your blocked ACLs or firewall rules. Unless you actually are one of those filthy Dutchees that infiltrate this place from time to time.
edit--i was wrong. Try blocking the ip address with an exception rule or acl, and see what happens.
edit--i was wrong. Try blocking the ip address with an exception rule or acl, and see what happens.
Last edited by Underpants? on Mon Apr 24, 2006 2:14 am, edited 1 time in total.
-
Underpants?
- Posts: 4755
- Joined: Mon Oct 22, 2001 7:00 am
Ok heres what i found so far:
I imported the log into excel and sorted the data so i could compare what that ip was doing with what I was doing. so far it looks like most of the time the log shows it was 'mirroring' some of my accesses (when i download or look at a file). It doesnt do it all the time, only occasionally or randomly. there was a few times the ip would access the same picture directly (like it was bookmarked), this seemed to be at random times, and the pic was just some old bf2 screenshot.
my files arent password protected, there is no .htaccess setup. I just use a blank htm file to stop directory listing. since its apache on XP, there is no chmoding.
Im wondering if this is something with zonealarm's security? or my isp (comcast).
I have since blocked that ip, and ran a trend-micro online scan which found nothing.
edit - i didnt see any unusual ports open.
I imported the log into excel and sorted the data so i could compare what that ip was doing with what I was doing. so far it looks like most of the time the log shows it was 'mirroring' some of my accesses (when i download or look at a file). It doesnt do it all the time, only occasionally or randomly. there was a few times the ip would access the same picture directly (like it was bookmarked), this seemed to be at random times, and the pic was just some old bf2 screenshot.
my files arent password protected, there is no .htaccess setup. I just use a blank htm file to stop directory listing. since its apache on XP, there is no chmoding.
Im wondering if this is something with zonealarm's security? or my isp (comcast).
I have since blocked that ip, and ran a trend-micro online scan which found nothing.
edit - i didnt see any unusual ports open.
yes the file did exist.
I logged into the server via remote desktop. zipped up a file I had that wasnt in 'htdocs', moved it to 'htdocs', downloaded it in less than 30 seconds, then deleted the file from the webserver's 'htdocs'.
I just happend to check the logs after that and noticed the duplicate download.
the log shows "HTTP/1.1" 200 689683", which means the file (689kb) was acutally downloaded by that ip. :icon33:
that file only exsisted on the webserver for about a minute.
in the logs you'll see these scripts trying to find invalid files on your server.
ya my logs are infested with tons of script hack attempts, which is probably normal.
I logged into the server via remote desktop. zipped up a file I had that wasnt in 'htdocs', moved it to 'htdocs', downloaded it in less than 30 seconds, then deleted the file from the webserver's 'htdocs'.
I just happend to check the logs after that and noticed the duplicate download.
the log shows "HTTP/1.1" 200 689683", which means the file (689kb) was acutally downloaded by that ip. :icon33:
that file only exsisted on the webserver for about a minute.
in the logs you'll see these scripts trying to find invalid files on your server.
ya my logs are infested with tons of script hack attempts, which is probably normal.
run a tracert -d <ip> from your remote computer (work?) to your home server and to that 65.160.238.180 ip, and from the other way round (if possible).
the key here is to find out if that ip is on the some ISP as you, part of your ISP (isp cache), or it could even be from another computer on your work connection (which would imply a cache at work).
otherwise your work might use an off-site caching proxy similar to google web accel.
the key here is to find out if that ip is on the some ISP as you, part of your ISP (isp cache), or it could even be from another computer on your work connection (which would imply a cache at work).
otherwise your work might use an off-site caching proxy similar to google web accel.
the second-last hop from here:
Name: sprint-204-94-86-30.smf.ragingwire.net
IP Address: 204.94.86.30
Location: Sacramento (38.583N, 121.494W)
Registrant:
RagingWire Telecommunications, Inc
PO Box 348060
Sacramento, CA 95834-8060
US
http://www.ragingwire.com/
Name: sprint-204-94-86-30.smf.ragingwire.net
IP Address: 204.94.86.30
Location: Sacramento (38.583N, 121.494W)
Registrant:
RagingWire Telecommunications, Inc
PO Box 348060
Sacramento, CA 95834-8060
US
http://www.ragingwire.com/
I tried using tracet from work, but everything times out. Here's what I found though:
my work uses a ZyWall2 router with active content filtering from cerberian.com. it seems cerberian keeps a database of sites and allows employers to block sites based on catagories. (pr0n, gambling, etc), depending on what the employer wants. If the site isnt in thier database it 'check's the site somehow and reports back to the employers router. sometimes surfing at work we get a 'site timed out' message from the router which isnt your standard 404 error. Im guessing this may be the source of my hax attempts?
this is from cerberian:
The User Requests a Page When using a web browser to request a URL, the browser sends that request out over the local network and starts the following process:
1. The agent device intercepts a web request from its local network.
2. The agent sends a request to a Blue Coat Service Point to have the URL categorized.
3. At the same time as step 2, the agent sends a request to the target web server (the origin server) requesting the content of the page.
4. The Service Point looks up the rating of the requested URL. If necessary, the Service Point will request a rating from the Dynamic Real-Time Rating (DRTR) service.
5. The Service Point returns an "allow" or "deny" message to the agent.
6. The agent either allows the incoming page through to the user, or it sends the user a block page describing the reason for denying access to the page.
my work uses a ZyWall2 router with active content filtering from cerberian.com. it seems cerberian keeps a database of sites and allows employers to block sites based on catagories. (pr0n, gambling, etc), depending on what the employer wants. If the site isnt in thier database it 'check's the site somehow and reports back to the employers router. sometimes surfing at work we get a 'site timed out' message from the router which isnt your standard 404 error. Im guessing this may be the source of my hax attempts?
this is from cerberian:
The User Requests a Page When using a web browser to request a URL, the browser sends that request out over the local network and starts the following process:
1. The agent device intercepts a web request from its local network.
2. The agent sends a request to a Blue Coat Service Point to have the URL categorized.
3. At the same time as step 2, the agent sends a request to the target web server (the origin server) requesting the content of the page.
4. The Service Point looks up the rating of the requested URL. If necessary, the Service Point will request a rating from the Dynamic Real-Time Rating (DRTR) service.
5. The Service Point returns an "allow" or "deny" message to the agent.
6. The agent either allows the incoming page through to the user, or it sends the user a block page describing the reason for denying access to the page.