[Zope] VHM followup... an open proxy probe?

Dylan Reinhardt zope@dylanreinhardt.com
Sat, 15 Mar 2003 11:06:00 -0800


Looking over the Apache logs a bit more carefully, I can see several 
requests of the form:

http://www.virtualhost.com/misc_/SiteAccess/VirtualHostMonster.gif

and

http://www.virtualhost.com/p_/zopelogo_jpg

Both of which will return graphics positively identifying your server as 
Zope unless you've taken measures to the contrary.  Oops.

Around the same times as the probes for site/vhm//, there were several 
failed requests to use my server as an open proxy... my guess is that open 
proxies may be what the probe is *really* looking for.  Zope servers 
running VHM are highly likely to be running Apache and given the variety 
and age of the available docs on setting up Zope with Apache, it may be 
fair to assume that some number of Zope+VHM+Apache sites are set up insecurely.

A couple thoughts/recommendations:

1. Read up on configuring and securing Apache proxy services: 
http://httpd.apache.org/docs/mod/mod_proxy.html#access
2. Don't volunteer configuration info to potential attackers.  You can 
conceal misc_ and p_ from your virtual sites by placing empty folders with 
these names in the folder above your virtual root.  You may wish to name 
your VHM object something unpredictable.  Ensure that Apache is configured 
with ServerSignature Off.


FWIW,

Dylan