Search code examples
apacheproxyreverse-proxyhttp-proxy

Apache had been compromised or being used as a proxy to attack and other system

I received a messages from Sony Interactive Entertainment LLC ("SIE") says my server is abusive to their services.

I checked and make sure:

  1. No one get remote access to my server except me. SSH and all other service only accept my IP, all other are being blocked by firewall
  2. Apache (httpd) not be hacked, no PHP and any active script is running on my server.
  3. All log (system, secure, message, ...) are empty or don't have any strange

Except apache access log I found:

77.38.177.177 - - [30/Jun/2017:19:21:48 +0000] "CONNECT auth.api.sonyentertainmentnetwork.com:443 HTTP/1.1" 400 226 "-" "-"
138.201.29.228 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.stoiximan.gr:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1409.70 Safari/537.36"
94.122.39.35 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
77.108.80.2 - - [30/Jun/2017:19:20:48 +0000] "CONNECT artiwell.com:443 HTTP/1.1" 200 - "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.bet-at-home.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/17.0.1232.63 Safari/537.36"
77.108.80.2 - - [30/Jun/2017:19:21:48 +0000] "GET http://sea-tools.com.ua/oborudovanie/betonomeshalki/filter/287-k-werk HTTP/1.1" 200 25537 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "GET http://sports.titanbet.com/en/e/5260805/Ansan-Police-v-Ansan-Greeners?mkt_grp_code=TMWIN HTTP/1.1" 200 25023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.604.118 Safari/537.36"
117.1.114.50 - - [30/Jun/2017:19:21:49 +0000] "GET http://static.doubleclick.net/instream/ad_status.js HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.doubleclick.net:443 HTTP/1.0" 200 - "-" "-"
185.71.186.147 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.sportsinteraction.net:443 HTTP/1.1" 200 - "-" "-"

I have to set firewall to reject every HTTP request to external server to terminate that attack.

By I still have some unanswerable questions are:

  1. Why some one can use my apache connect to external server?
  2. How can they do that? How to stop this issue without use firewall to block every thing?

Below are my apache virtual host configuration:

NameVirtualHost *:80

<Directory "/data/websource">
    DirectoryIndex index.html index.php
    AllowOverride All
    # Allow open access:
    Require all granted
</Directory>
<VirtualHost *:80>
    ServerName subdomain1.my.domain
    DocumentRoot "web_root/subdomain1/source/www"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/subdomain1-error.log"
    CustomLog "logs/subdomain1-access.log" combined

    #turn on proxy

    ProxyPreserveHost On
    ProxyRequests On

    ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
    ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1

    ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
    ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/

    ProxyPass /client/ http://xyz.my.other.ip/client/
    ProxyPassReverse /client/ http://xyz.my.other.ip/client/

    ProxyPass /bbb http://xyz.my.other.ip/
    ProxyPassReverse /bbb http://xyz.my.other.ip/

    ProxyPass /demo/ http://xyz.my.other.ip/demo/
    ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/

    ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
    ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html

    ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
    ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html

    ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
    ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/

    ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
    ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi

    ProxyPass /help.html http://xyz.my.other.ip/help.html
    ProxyPassReverse /help.html http://xyz.my.other.ip/help.html

    ProxyPass /call.php http://www.source/mynglevline/call.php
    ProxyPassReverse /call.php http://www.source/mynglevline/call.php

</VirtualHost>
<VirtualHost *:80>
    ServerName subdomain2.my.domain
    DocumentRoot "web_root/subdomain1/source/admin"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/subdomain1-admin-error.log"
    CustomLog "logs/subdomain1-admin-access.log" combined

</VirtualHost>
<VirtualHost *:80>
    ServerName subdomain3.my.domain
    DocumentRoot "web_root/subdomain3/source/www"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/subdomain3-error.log"
    CustomLog "logs/subdomain3-access.log" combined

    #turn on proxy

    ProxyPreserveHost On
    ProxyRequests On

    ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
    ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1

    ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
    ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/

    ProxyPass /client/ http://xyz.my.other.ip/client/
    ProxyPassReverse /client/ http://xyz.my.other.ip/client/

    ProxyPass /bbb http://xyz.my.other.ip/
    ProxyPassReverse /bbb http://xyz.my.other.ip/

    ProxyPass /demo/ http://xyz.my.other.ip/demo/
    ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/

    ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
    ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html

    ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
    ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html

    ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
    ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/

    ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
    ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi

    ProxyPass /help.html http://xyz.my.other.ip/help.html
    ProxyPassReverse /help.html http://xyz.my.other.ip/help.html

    ProxyPass /call.php http://www.source/mynglevline/call.php
    ProxyPassReverse /call.php http://www.source/mynglevline/call.php

</VirtualHost>
<VirtualHost *:80>
    ServerName subdomain4.my.domain
    DocumentRoot "web_root/subdomain3/source/admin"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/subdomain3-admin-error.log"
    CustomLog "logs/subdomain3-admin-access.log" combined

</VirtualHost>
<VirtualHost *:80>
    ServerName subdomain5.my.domain
    DocumentRoot "web_root/subdomain5/source/www"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/release-error.log"
    CustomLog "logs/release-access.log" combined

    #turn on proxy

    ProxyPreserveHost On
    ProxyRequests On

    ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
    ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1

    ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
    ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/

    ProxyPass /client/ http://xyz.my.other.ip/client/
    ProxyPassReverse /client/ http://xyz.my.other.ip/client/

    ProxyPass /bbb http://xyz.my.other.ip/
    ProxyPassReverse /bbb http://xyz.my.other.ip/

    ProxyPass /demo/ http://xyz.my.other.ip/demo/
    ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/

    ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
    ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html

    ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
    ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html

    ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
    ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/

    ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
    ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi

    ProxyPass /help.html http://xyz.my.other.ip/help.html
    ProxyPassReverse /help.html http://xyz.my.other.ip/help.html

    ProxyPass /call.php http://www.source/mynglevline/call.php
    ProxyPassReverse /call.php http://www.source/mynglevline/call.php

</VirtualHost>
<VirtualHost *:80>
    ServerName subdomain6.my.domain
    DocumentRoot "web_root/subdomain5/source/admin"
    ServerAdmin postmaster@dummy-host2.localhost
    ErrorLog "logs/subdomain5-admin-error.log"
    CustomLog "logs/subdomain5-admin-access.log" combined

</VirtualHost>
Solution

  • ProxyRequests On

    This is your problem, quote from Apache's mod_proxy document:

    Warning

    Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.