ssl proy request, " [...]that indicate a possible exploit"

[nihilist]

Ich bin heute morgen mit einer 47mb großen E-Mail meines Logwatch überrascht worden.
Darin lauter Einträge der Art wie im codeblock gepostet.
Das ganze ist ein vserver auf dem eine Webseite sowie ein jabber server (ejabberd) läuft. Backup sind vorhanden, aber bevor ich möglicherweise dort das System zurücksetze, würde ich gerne wissen was da los ist.

Code: Alles auswählen

 A total of 67544 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):


+http://ad.103092804.com/iframe3?D5gAAACjEAC0QUsAAAAAAAqNFAAAAAAAAgAUAAYAAAAAAP8AAAABAnxnHAAAAAAAnPsZAAAAAABw0RsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACluwkAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABBrM1GLPwAAAAAAAAAAAAAgoWIDlT8AAAAAAAAAAAAAwHdaraA.AAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAiaQnd23ZvCPWqr2oAmoyJ3As-fFEaN9zKAAqrAAAAAA==,,http%3A%2F%2Fgamefunflash.com%2Fen%2Fgame-fancy-pants-adventure.html,Z%3D728x90%26s%3D1090304%26_salt%3D3523748992%26B%3D12%26m%3D2%26u%3Dhttp%253A%252F%252Fgamefunflash.com%252Fen%252Fgame-fanc
+y-pants-adventure.html%26r%3D1,a6c804ac-817d-11df-9d51-0024812684fb HTTP Response 302

+http://ad.foxnetworks.com/iframe3?KhsAAIO5EABB6TAAAAAAABrQEwAAAAAAAgAcAAYAAAAAAP8AAAABCcd-HAAAAAAAQ5QOAAAAAACa-BoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBzwkAAAAAAAIAAwAAAAAAAAAAAAAAAABG4Tr9ONK6PwAAAAAAAAAARuE6.TjSyj8AAAAAAAAAAJmZGa-1odQ.AAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB.TICIldRvCG4q9iOxzunySdlGJCSm3benZSpHAAAAAA==,,http%3A%2F%2Fwww.moviefilmstar.com%2Fmovie%2F2006_dirty.html,Z%3D728x90%26anprice%3D%26s%3D1096067%26_salt%3D3373910496%26B%3D12%26m%3D2%26u%3Dhttp%253A%252F%252Fwww.moviefilmstar.com%252Fmovi
+e%252F2006_Dirty.html%26r%3D1,849663fa-81b5-11df-92d3-001e0b5a044e HTTP Response 302

+http://adfarm1.adition.com/banner?sid=157726&wi=575501907&ac=1&wpt=J&os=3&browser=9&screen_res=3&co=1&fvers=&ref=http%3A//ad.yieldmanager.com/iframe3%3FrlA0AC1LCwB-t1MAAAAAANbyFgAAAAAAAgAAAAYAAAAAAP8AAAABBt7yEwAAAAAAF3QAAAAAAABrrx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAADxzgUAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAADaZSjAPwAAAAAAAAAAAAAAFv.tyj8AAAAAAAAAAAAAAD3.cNY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD5CjNoG7BvCIB-xL6rHjxTlS-kfun7CnJJQ.XpAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww.thesunsfinancialdiary.com%252Fpage%252F3%25
+2F%2CZ%253D728x90%252C468x60%2526s%253D740141%2526_salt%253D3429119397%2526B%253D12%2526m%253D2%2526u%253Dhttp%25253A%25252F%25252Fwww.thesunsfinancialdiary.com%25252Fpage%25252F3%25252F%2526r%253D1%2Cc65564b4-819f-11df-8782-001e0b5a0454&clickurl=http%3A//ad.reduxmedia.
+com/clk%3F2%2C13%3Bfb045861804caf11%3B129778b62da%2C0%3B%3B%3B2585343647%2CrlA0AC1LCwB-t1MAAAAAANbyFgAAAAAAAgAAAAYAAAAAAP8AAAABBt7yEwAAAAAAF3QAAAAAAABrrx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAADxzgUAAAAAAAIAAwAAAAAA2mKLdykBAAAAAAAAAGM2NTU2NGI0LTgxOWYtMTFkZi04NzgyLTAwMWUwYjVhMDQ1NAA5STEAAAA%3D%2C%2Chttp%3A//www.thesunsfinancialdiary.com/page/3/%2Chttp%253A%252F%252Fad.adition.net%253A80%252Fclick*lid%253D84932478397%252Fclickurl%253D HTTP Response 200

+http://ad.spot200.com/iframe3?6mxuAK..CgCytE4AAAAAAIOjFQAAAAAAAgAAAAYAAAAAAP8AAAABBjr1EgAAAAAA6K8SAAAAAACpHh0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADaowUAAAAAAAIAAwAAAAAA1udtPUgXsj9-rnoYeGXBPw8tt7vNJr4.0iJ303L-zD8AAAAAAAAAAHE9nru.tdQ.AAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAD6fdCh5KpvCNuvEpqrtn3UVyn.GV9CrerSetcEAAAAAA==,,http%3A%2F%2Fwww.homeconstructionimprovement.com%2Fpage%2F4%2F,Z%3D728x90%26s%3D720815%26_salt%3D2036517639%26B%3D12%26m%3D2%26u%3Dhttp%253A%252F%252Fwww.homeconstructionimprovement.com%252Fpage%2
+52F4%252F%26r%3D1,aad64c42-819c-11df-a490-001d0963e92f HTTP Response 302

Auch in der apache error.log finden sich in sekunden abständen Einträge
(seit ca 2 Tagen)

Code: Alles auswählen

[Sun Jun 27 03:00:51 2010] [error] proxy: HTTPS: failed to enable ssl support for 64.236.144.229:443 (adserver.adtechus.com)
[Sun Jun 27 03:00:51 2010] [error] [client 64.236.144.228] SSL Proxy requested for 83.169.17.147:80 but not enabled [Hint: SSLProxyEngine]
[Sun Jun 27 03:00:51 2010] [error] proxy: HTTPS: failed to enable ssl support for 64.236.144.228:443 (adserver.adtechus.com)
[Sun Jun 27 03:09:26 2010] [error] [client 83.169.59.64] SSL Proxy requested for 83.169.17.147:80 but not enabled [Hint: SSLProxyEngine]
[Sun Jun 27 03:09:26 2010] [error] proxy: HTTPS: failed to enable ssl support for 83.169.59.64:443 (ads.heias.com)
[Sun Jun 27 03:12:37 2010] [error] [client 83.169.59.64] SSL Proxy requested for 83.169.17.147:80 but not enabled [Hint: SSLProxyEngine]
[Sun Jun 27 03:12:37 2010] [error] proxy: HTTPS: failed to enable ssl support for 83.169.59.64:443 (ads.heias.com)
[Sun Jun 27 03:12:52 2010] [error] [client 83.169.59.64] SSL Proxy requested for 83.169.17.147:80 but not enabled [Hint: SSLProxyEngine]
[Sun Jun 27 03:12:52 2010] [error] proxy: HTTPS: failed to enable ssl support for 83.169.59.64:443 (ads.heias.com)

Was passiert hier?


Edit:
Die Proxy Requests scheinen auf jeden Fall von meinem jabber server bzw von dem dazugehörigen jabber.webclient 'jwchat' zu kommen.
apache-config:

Code: Alles auswählen

    ProxyRequests On
    ProxyPass /http-bind/ http://hostname:5280/http-bind/
    ProxyPassReverse /http-bind/ http://hostname:5280/http-bind/
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>

edit 2:
Ich habe den vhost deaktiviert sowie alle proxy module von apache, nun ist bis auf diese errormeldungen erst mal ruhe.
Wie kann ich das in Zukunf verhindern, bzw. wie kann ich erstmal näher ergründen was da los ist?

Code: Alles auswählen

[Mon Jun 28 11:09:43 2010] [error] [client 122.228.236.202] File does not exist: /var/www/st, referer: http://www.somefrogs.com/lake/articles.php/tPath/3
[Mon Jun 28 11:10:06 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.boardgames.com/modeshshga.html
[Mon Jun 28 11:10:16 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.photoshopgurus.com/logo-bannerdesign.html
[Mon Jun 28 11:10:48 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/
[Mon Jun 28 11:10:56 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.photoshopgurus.com/forum/photoshop-web/22781-images-sizes-larger-blurry-wordpress-theme-help.html
[Mon Jun 28 11:11:45 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://boardgames.com/
[Mon Jun 28 11:12:52 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/cordless-tool-battery-packs/#respond
[Mon Jun 28 11:14:05 2010] [error] [client 58.16.28.69] File does not exist: /var/www/st, referer: http://www.somefrogs.com/
[Mon Jun 28 11:14:45 2010] [error] [client 58.16.28.69] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/rockwell-jawhorse-review/
[Mon Jun 28 11:15:37 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/
[Mon Jun 28 11:16:35 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.photoshopgurus.com/
[Mon Jun 28 11:16:58 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.thesunsfinancialdiary.com/category/free-money/paid-survey/
[Mon Jun 28 11:17:53 2010] [error] [client 122.228.236.141] File does not exist: /var/www/st, referer: http://www.snowcovered.com/Snowcovered2/Default.aspx?tabid=229&htype=Technical+Support
[Mon Jun 28 11:18:28 2010] [error] [client 58.16.28.80] File does not exist: /var/www/st, referer: http://www.boardgames.com/magaat.html
[Mon Jun 28 11:21:03 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.thesunsfinancialdiary.com/2008/12/
[Mon Jun 28 11:21:05 2010] [error] [client 58.16.28.69] File does not exist: /var/www/st, referer: http://www.photoshopgurus.com/forum/members/nakul8989.html
[Mon Jun 28 11:22:32 2010] [error] [client 113.122.99.222] File does not exist: /var/www/st, referer: http://www.moviefilmstar.com/html/andiemacdowell.html
[Mon Jun 28 11:26:06 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/pacific-laser-systems-pls180-tool-review/
[Mon Jun 28 11:29:00 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/milwaukee-sds-rotary-hammer-drill-review/
[Mon Jun 28 11:29:17 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.homeconstructionimprovement.com/
[Mon Jun 28 11:30:06 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.thesunsfinancialdiary.com/2007/10/

[nihilist]

Über oder einen kurzen Tipp ob da etwas falsch konfiguriert ist, oder es einfach Abfragen sind wäre ich sehr dankbar...

[rendegast]

[Mon Jun 28 11:30:06 2010] [error] [client 125.67.234.28] File does not exist: /var/www/st, referer: http://www.thesunsfinancialdiary.com/2007/10/

massenhaft engliche Adressen scheint unseriös, spam.
Wenn Du nicht selbst irgendwie darauf verweist tippe ich auf Angriff,
dazu die Versuche ssl zu deaktivieren resp. downgrade.

google: "File does not exist: /var/www/st, referer:"
scheint das zu bestätigen.

[catdog2]

Die Proxy Requests scheinen auf jeden Fall von meinem jabber server bzw von dem dazugehörigen jabber.webclient 'jwchat' zu kommen.

Du hast dir da vmtl trotzdem einen offenen proxy konfiguriert.

Code: Alles auswählen

    ProxyRequests On

Ich zitiere dazu mal die Doku:

Warning

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

The ProxyRequests directive should usually be set off when using ProxyPass.