Re: Attempts to push spam through apache
From: Gabriel Orozco (gabriel_orozco_at_mx.sumida.com)
To: firstname.lastname@example.org Date: Sat, 21 Aug 2004 23:51:47 -0500
Same thing happening with a client of mine, but with hundreds of different
clients. we had mod_proxy enabled there, but disabling it didn't helped at
I was forced to shutdown apache. it's the 1.3.27 version that came with SuSE
9.1, with all the updates it continues being 1.3.27.
I know there are other, newer apache versions, but SuSE doesn't have them. I
disabled apache until the client authorizes the fix proposed (upgrade from
I surf the web for this vulnerability but nothing found.
Is anybody aware of this?
El Jue 19 Ago 2004 8:26 PM, Peter H. Lemieux escribió:
> My apache logs are recently full of entries like these:
> 220.127.116.11 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 18.104.22.168:25
> HTTP/1.0" 200 1844
> Obviously this is an effort to pump spam through my server to 22.214.171.124.
> There are many other target addresses as well.
> If I telnet to port 80 and enter the HTTP command
> CONNECT 126.96.36.199:25 HTTP/1.0
> the server replies with the 1844-byte home page of this site, as indicated
> by the "200 1844" part of the log entry. As far as I can tell, this means
> that these exploit attempts only get a web page in reply and are not able
> to push the spam through to the intended target.
> I don't have mod_proxy enabled or anything else that would enable proxying
> to work. Are these just random spammer attempts to find an open proxy?
> The fact that there are nearly 35,000 (!) such entries over the past few
> days suggests that the spammer, or the spammer's software, thinks this
> exploit is succeeding. How can I be sure that it's not?
> I've blocked the 188.8.131.52/24 subnet for now, but I'd like to be certain
> that others can't use the same exploit. I tried a variety of Google
> searches but haven't found a useful page to read on this subject.
> Some months ago someone used the recent mod_ssl vulnerability and managed
> to install an IRC proxy on this server. However I fixed those problems at
> the time, and there's no evidence that any unauthorized programs, e.g.,
> proxies, are now running. (No, there are no rootkits installed, nor is the
> ps binary compromised, etc. I'm well aware of such possibilities.)
> Perhaps the machine was just added to a list of potentially vulnerable
> servers, and someone else is trying to take advantage of me, even though
> it's no longer possible?
> FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
> exploits only work if there is an open http proxy available, no?