Re: Attempts to push spam through apache

From: Gabriel Orozco (
Date: 08/22/04

  • Next message: Peter H. Lemieux: "Re: Attempts to push spam through apache"
    Date: Sat, 21 Aug 2004 23:51:47 -0500

    Same thing happening with a client of mine, but with hundreds of different
    clients. we had mod_proxy enabled there, but disabling it didn't helped at

    I was forced to shutdown apache. it's the 1.3.27 version that came with SuSE
    9.1, with all the updates it continues being 1.3.27.

    I know there are other, newer apache versions, but SuSE doesn't have them. I
    disabled apache until the client authorizes the fix proposed (upgrade from

    I surf the web for this vulnerability but nothing found.

    Is anybody aware of this?


    El Jue 19 Ago 2004 8:26 PM, Peter H. Lemieux escribió:
    > My apache logs are recently full of entries like these:
    > - - [19/Aug/2004:21:03:48 -0400] "CONNECT
    > HTTP/1.0" 200 1844
    > Obviously this is an effort to pump spam through my server to
    > There are many other target addresses as well.
    > If I telnet to port 80 and enter the HTTP command
    > CONNECT HTTP/1.0
    > the server replies with the 1844-byte home page of this site, as indicated
    > by the "200 1844" part of the log entry. As far as I can tell, this means
    > that these exploit attempts only get a web page in reply and are not able
    > to push the spam through to the intended target.
    > I don't have mod_proxy enabled or anything else that would enable proxying
    > to work. Are these just random spammer attempts to find an open proxy?
    > The fact that there are nearly 35,000 (!) such entries over the past few
    > days suggests that the spammer, or the spammer's software, thinks this
    > exploit is succeeding. How can I be sure that it's not?
    > I've blocked the subnet for now, but I'd like to be certain
    > that others can't use the same exploit. I tried a variety of Google
    > searches but haven't found a useful page to read on this subject.
    > Some months ago someone used the recent mod_ssl vulnerability and managed
    > to install an IRC proxy on this server. However I fixed those problems at
    > the time, and there's no evidence that any unauthorized programs, e.g.,
    > proxies, are now running. (No, there are no rootkits installed, nor is the
    > ps binary compromised, etc. I'm well aware of such possibilities.)
    > Perhaps the machine was just added to a list of potentially vulnerable
    > servers, and someone else is trying to take advantage of me, even though
    > it's no longer possible?
    > FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    > exploits only work if there is an open http proxy available, no?
    > Peter

  • Next message: Peter H. Lemieux: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: Single NIC DNS problem
      ... It recommended disabling by setting the reg value to ... I still get the incredible slow shutdown and startup of the client. ... when I access a file in a server share folder, ... I still think my DNS is nor configured correctly as shown by ...
    • Re: Best Programming language for Network programming (complex server application)
      ... something like apache benchmark and compiling apache with more worker ... Let's make a new benchmark between ... A server in a higher programming language cannot exceed the speed of a server written in C. ... You are effectifly testing a situation with up to 100000 clients, on of which is using a broadband connection while client 2-100000 are using 1 baud modems. ...
    • RE: Dav Error
      ... I have compiled and installed the dav module for apache and it appears ... # Based upon the NCSA server configuration files originally by Rob ... # same client on the same connection. ...
    • Re: List of servers in this workgroup is currently not available.
      ... I unchecked Client for Microsoft Networks. ... that would be the server. ... I did stop the service for computer browser on the client I showed. ... Simplest way to stop that is by disabling the ...
    • Re: POP3 Server access suddenly very slow
      ... server-related by trying a different mail server. ... the originator of the email scanning concept ... my client nor disable virus scanning. ... I have also tried disabling the email scanning and this did not ...