Attempts to push spam through apache

From: Peter H. Lemieux (phl_at_cyways.com)
Date: 08/20/04

  • Next message: Andy Smith: "Re: Attempts to push spam through apache"
    Date: Thu, 19 Aug 2004 21:26:07 -0400
    To: focus-linux@securityfocus.com
    
    

    My apache logs are recently full of entries like these:

    211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    HTTP/1.0" 200 1844

    Obviously this is an effort to pump spam through my server to 208.17.33.40.
      There are many other target addresses as well.

    If I telnet to port 80 and enter the HTTP command

            CONNECT 208.17.33.40:25 HTTP/1.0

    the server replies with the 1844-byte home page of this site, as indicated
    by the "200 1844" part of the log entry. As far as I can tell, this means
    that these exploit attempts only get a web page in reply and are not able to
    push the spam through to the intended target.

    I don't have mod_proxy enabled or anything else that would enable proxying
    to work. Are these just random spammer attempts to find an open proxy? The
    fact that there are nearly 35,000 (!) such entries over the past few days
    suggests that the spammer, or the spammer's software, thinks this exploit is
    succeeding. How can I be sure that it's not?

    I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
    that others can't use the same exploit. I tried a variety of Google
    searches but haven't found a useful page to read on this subject.

    Some months ago someone used the recent mod_ssl vulnerability and managed to
    install an IRC proxy on this server. However I fixed those problems at the
    time, and there's no evidence that any unauthorized programs, e.g., proxies,
    are now running. (No, there are no rootkits installed, nor is the ps binary
    compromised, etc. I'm well aware of such possibilities.) Perhaps the
    machine was just added to a list of potentially vulnerable servers, and
    someone else is trying to take advantage of me, even though it's no longer
    possible?

    FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    exploits only work if there is an open http proxy available, no?

    Peter


  • Next message: Andy Smith: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: Question - Can I force a machine to use a specific DC for Authentication Diag 1
      ... Connecting to directory service on server s2dc1. ... Latency information for 1 entries in the vector were ignored. ... DNS ...
      (microsoft.public.windows.server.general)
    • Re: Partial Replication of W2K3 DC After DCPROMO
      ... Connecting to directory service on server willdc01. ... Latency information for 1 entries in the vector were ... PASS - All the DNS entries for DC are registered on DNS server ...
      (microsoft.public.windows.server.active_directory)
    • Re: Attempts to push spam through apache
      ... On Friday 20 August 2004 04:26, Peter H. Lemieux wrote: ... > Obviously this is an effort to pump spam through my server to 208.17.33.40. ... I also have some attempts in my access_log, but 35000 entries ... if there were they wouldn't log into apache logs ...
      (Focus-Linux)
    • Re: OAB Generation Problem 9339
      ... exchange server 3450 GAL entries from the DC back. ... same command from my client I get 4934 entries back. ... To get the NSPITool is difficult there is no link on a Microsft site and PSS ... OABInteg test was done without any problem - all seams to be OK! ...
      (microsoft.public.exchange.admin)
    • Re: Excel data consolidation question
      ... it's talking to the server and trying to auto-complete the name ... you can save your form as a Data Access Page ... you know when you save a spreadsheet as HTML and 'add interactivity'? ... it would if you were so incompetent not to check all entries. ...
      (microsoft.public.excel)