Koozali.org: home of the SME Server

!!! Alarm !!!

Offline wyron

  • *
  • 275
  • +0/-0
    • http://www.ideast.dk
!!! Alarm !!!
« on: April 16, 2004, 11:31:02 AM »
I just came across this entry, sitting snugly all by itself in my httpd/access-log:
www.ideast.dk 66.196.90.210 - - [15/Apr/2004:01:23:14 +0200] "GET /dfbaarup/fgskregler.shtml HTTP/1.0" 200 3986 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

My server took nearly ten minutes to generate this one entry.
How am I compromised ?
Can httpd-acces really be used for smtp, or what is the purpose of this abuse ?
. . Not to mention - what do I do about it ?
Is there any fight back-possibility ?
Greetings
wyron
...

Offline wyron

  • *
  • 275
  • +0/-0
    • http://www.ideast.dk
!!! Alarm !!!
« Reply #1 on: April 16, 2004, 01:00:43 PM »
This is what I've done so far:
I noted that upload was running on max.
So first of all I restarted httpd.
Within five minutes, the upload was back to max.
It might have been a legit user uploading from my contribs 'mirror' so I let it run while I overviewed MRTG.
The max upload started shortly before midnight (GMT+1) consistent with intelligible entries in a couple of logs.
So - just 10 minutes ago (12:40 PM GMT+1) I disabled execution of dynamic contents in ibays and restarted httpd again.
That did it !
There is now relatively peaceful on my wan for the present.
But its not a lasting situation.
There must be some weakness in system reactions to execution of dynamic contents !
I really hope the gurus have an answer to this one.
Making do without php or cgi/perl makes for a very bleak future.
Perhaps the weakness lies in PHP 4 ?
Anyone with similar experiences ?
Greetings
wyron
...

bobk

Re: !!! Alarm !!!
« Reply #2 on: April 17, 2004, 05:22:37 AM »
Quote from: "wyron"
I just came across this entry, sitting snugly all by itself in my httpd/access-log:
www.ideast.dk 66.196.90.210 - - [15/Apr/2004:01:23:14 +0200] "GET /dfbaarup/fgskregler.shtml HTTP/1.0" 200 3986 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

My server took nearly ten minutes to generate this one entry.
How am I compromised ?
Can httpd-acces really be used for smtp, or what is the purpose of this abuse ?
. . Not to mention - what do I do about it ?
Is there any fight back-possibility ?


What part of that log entry is giving you heartburn? It looks to be a Yahoo Search spider indexing your site. There is no reference to "smtp" anywhere in it.

Do you think that high activity on your site could be related to the downloadable content of your 'sme' Ibay?

Offline wyron

  • *
  • 275
  • +0/-0
    • http://www.ideast.dk
Re: !!! Alarm !!!
« Reply #3 on: April 17, 2004, 06:31:31 AM »
Quote from: "bobk"
What part of that log entry is giving you heartburn? It looks to be a Yahoo Search spider indexing your site. There is no reference to "smtp" anywhere in it.

Thank you ever so much for putting my panic to rest.
I was afraid that finally someone had found a hole in the SME armour. Hence the !!!Alarm!!!
There had been heavy uploading going on for nine consecutive hours, so I found it appropriate to check my httpd/acess_log, and when that report was generated after almost ten minutes it contained only the one line I quoted, I just jumped to conclusions !
 . . and I'm very happy that they were groundless.
Quote from: "bobk"
Do you think that high activity on your site could be related to the downloadable content of your 'sme' Ibay?

I certainly hope so !!!
And if thats the case I'm very sorry for breaking any downloads.
But why is my log in that state ?
It still shows only that entry, and it's still generating very slowly, even though there is no activity on my wan.
Greetings
wyron
...