Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Fri May 03, 2013 9:43 am 
Offline
Newbie

Joined: Fri May 03, 2013 9:27 am
Posts: 4
Hey All,

I had a wordpress site and a drupal site on aws free tier that I moved over to linode yesterday. I've installed a basic lamp stack and nothing else to a centos box. Both are very low traffic sites and last night I got a warning about a cpu spike and looking at my httpd access_log there are ~113000 entries for a single night. Looking at the entries there are a lot of get request to random sites. I'm pretty sure something somewhere is compromised. Where should I start cleaning this up? The most frequent entries were http://godtrck.com. Here is an example:

199.15.112.172 - - [03/May/2013:12:47:50 +0000] "GET http://godtrck.com/?a=5535&oc=1405&c=7983&s1= HTTP/1.0" 404 7078 "https://mail.google.com/mail/?shva=1#inbox/13157cecaadcf61d" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; Zune 4.7; InfoPath.3)"

Anyone ever heard of this, am I missing something?

Thanks.

Tanner J.


Top
   
PostPosted: Fri May 03, 2013 10:06 am 
Offline
Newbie

Joined: Fri May 03, 2013 9:27 am
Posts: 4
A little more info:

in /var/log/httpd/error_log I've got ~ 70,000 file does not exist errors scaning all of my /var/www/html/ sub directories. Does this spike in traffic mean I've been compromised or could someone have been just probing my server? Looking at the linode manager I had an hour and a half spike that has now fallen off.

Thanks.


Top
   
PostPosted: Fri May 03, 2013 10:15 am 
Offline
Senior Member
User avatar

Joined: Tue Apr 13, 2004 6:54 pm
Posts: 833
It's possible that someone else had that IP address, previously, and they had an open proxy. Entries in the log of "GET http://other.site" are attempts to use your server as a proxy. The 404 response is your server telling 'em to go away.

If the activity continues then raise a ticket to linode staff asking for a new IP address and explain why.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)


Top
   
PostPosted: Fri May 03, 2013 10:38 am 
Offline
Newbie

Joined: Fri May 03, 2013 9:27 am
Posts: 4
Okay, I was worried it was my drupal site as I got a lot of errors for missing scripts in that directory. But it turns out that the drupal site is the default when reaching my server by ipaddress. So your scenario makes perfect sense. I'll keep an eye out for this happening again and if it continues I'll request the new ip address. Thanks for the insight and saving me a lot of worry.

Tanner J.


Top
   
PostPosted: Fri May 03, 2013 10:41 am 
Offline
Junior Member
User avatar

Joined: Fri May 04, 2012 8:57 pm
Posts: 49
tannerj wrote:
Okay, I was worried it was my drupal site as I got a lot of errors for missing scripts in that directory. But it turns out that the drupal site is the default when reaching my server by ipaddress. So your scenario makes perfect sense. I'll keep an eye out for this happening again and if it continues I'll request the new ip address. Thanks for the insight and saving me a lot of worry.

Tanner J.



you shouldn't require a new ip address... if it really bothers you that much, just drop the traffic using iptables or something like that

_________________
me | voltaireMC


Top
   
PostPosted: Fri May 03, 2013 1:08 pm 
Offline
Newbie

Joined: Fri May 03, 2013 9:27 am
Posts: 4
It doesn't bother me, I was worried my system had been compromised. Also, iptables wouldn't work because it seems to be a public proxy...probably from a site listing multiple proxy servers therefore its random traffic. There were mulitple ip addresses so iptables will likely become an exercise in wack-a-mole. Thanks so much for the response though.


Top
   
PostPosted: Fri May 03, 2013 2:54 pm 
Offline
Senior Member
User avatar

Joined: Fri Dec 11, 2009 7:09 pm
Posts: 168
You could default to a go away page.

_________________
--
Chris Bryant


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group