Re: Attempts to push spam through apache

From: Gabriel Orozco (gabriel_orozco_at_mx.sumida.com)
Date: 08/22/04

  • Next message: Peter H. Lemieux: "Re: Attempts to push spam through apache"
    To: focus-linux@securityfocus.com
    Date: Sat, 21 Aug 2004 23:51:47 -0500
    
    

    Same thing happening with a client of mine, but with hundreds of different
    clients. we had mod_proxy enabled there, but disabling it didn't helped at
    all.

    I was forced to shutdown apache. it's the 1.3.27 version that came with SuSE
    9.1, with all the updates it continues being 1.3.27.

    I know there are other, newer apache versions, but SuSE doesn't have them. I
    disabled apache until the client authorizes the fix proposed (upgrade from
    sources).

    I surf the web for this vulnerability but nothing found.

    Is anybody aware of this?

    Regards
    Gabriel

    El Jue 19 Ago 2004 8:26 PM, Peter H. Lemieux escribió:
    > My apache logs are recently full of entries like these:
    >
    > 211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    > HTTP/1.0" 200 1844
    >
    > Obviously this is an effort to pump spam through my server to 208.17.33.40.
    > There are many other target addresses as well.
    >
    > If I telnet to port 80 and enter the HTTP command
    >
    > CONNECT 208.17.33.40:25 HTTP/1.0
    >
    > the server replies with the 1844-byte home page of this site, as indicated
    > by the "200 1844" part of the log entry. As far as I can tell, this means
    > that these exploit attempts only get a web page in reply and are not able
    > to push the spam through to the intended target.
    >
    > I don't have mod_proxy enabled or anything else that would enable proxying
    > to work. Are these just random spammer attempts to find an open proxy?
    > The fact that there are nearly 35,000 (!) such entries over the past few
    > days suggests that the spammer, or the spammer's software, thinks this
    > exploit is succeeding. How can I be sure that it's not?
    >
    > I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
    > that others can't use the same exploit. I tried a variety of Google
    > searches but haven't found a useful page to read on this subject.
    >
    > Some months ago someone used the recent mod_ssl vulnerability and managed
    > to install an IRC proxy on this server. However I fixed those problems at
    > the time, and there's no evidence that any unauthorized programs, e.g.,
    > proxies, are now running. (No, there are no rootkits installed, nor is the
    > ps binary compromised, etc. I'm well aware of such possibilities.)
    > Perhaps the machine was just added to a list of potentially vulnerable
    > servers, and someone else is trying to take advantage of me, even though
    > it's no longer possible?
    >
    > FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    > exploits only work if there is an open http proxy available, no?
    >
    >
    > Peter


  • Next message: Peter H. Lemieux: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: Single NIC DNS problem
      ... It recommended disabling by setting the reg value to ... I still get the incredible slow shutdown and startup of the client. ... when I access a file in a server share folder, ... I still think my DNS is nor configured correctly as shown by ...
      (microsoft.public.windows.server.sbs)
    • Re: Best Programming language for Network programming (complex server application)
      ... something like apache benchmark and compiling apache with more worker ... Let's make a new benchmark between ... A server in a higher programming language cannot exceed the speed of a server written in C. ... You are effectifly testing a situation with up to 100000 clients, on of which is using a broadband connection while client 2-100000 are using 1 baud modems. ...
      (comp.unix.programmer)
    • RE: Dav Error
      ... I have compiled and installed the dav module for apache and it appears ... # Based upon the NCSA server configuration files originally by Rob ... # same client on the same connection. ...
      (Fedora)
    • Re: List of servers in this workgroup is currently not available.
      ... I unchecked Client for Microsoft Networks. ... that would be the server. ... I did stop the service for computer browser on the client I showed. ... Simplest way to stop that is by disabling the ...
      (microsoft.public.windows.server.sbs)
    • Re: POP3 Server access suddenly very slow
      ... server-related by trying a different mail server. ... the originator of the email scanning concept ... my client nor disable virus scanning. ... I have also tried disabling the email scanning and this did not ...
      (microsoft.public.windows.vista.mail)