RE: Attempts to push spam through apache
From: Gite, Ashish (Security Consultancy) (ashish.gite_at_hp.com)
Date: Sun, 22 Aug 2004 12:25:13 +0530 To: <email@example.com>
Following links might be related, you might want to read -
Spammers use open Apache proxies
Controlling access to your proxy
From: Peter H. Lemieux [mailto:firstname.lastname@example.org]
Sent: Thursday, August 19, 2004 7:26 PM
Subject: Attempts to push spam through apache
My apache logs are recently full of entries like these:
188.8.131.52 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 184.108.40.206:25
HTTP/1.0" 200 1844
Obviously this is an effort to pump spam through my server to 220.127.116.11.
There are many other target addresses as well.
If I telnet to port 80 and enter the HTTP command
CONNECT 18.104.22.168:25 HTTP/1.0
the server replies with the 1844-byte home page of this site, as indicated
by the "200 1844" part of the log entry. As far as I can tell, this means
that these exploit attempts only get a web page in reply and are not able to
push the spam through to the intended target.
I don't have mod_proxy enabled or anything else that would enable proxying
to work. Are these just random spammer attempts to find an open proxy? The
fact that there are nearly 35,000 (!) such entries over the past few days
suggests that the spammer, or the spammer's software, thinks this exploit is
succeeding. How can I be sure that it's not?
I've blocked the 22.214.171.124/24 subnet for now, but I'd like to be certain
that others can't use the same exploit. I tried a variety of Google
searches but haven't found a useful page to read on this subject.
Some months ago someone used the recent mod_ssl vulnerability and managed to
install an IRC proxy on this server. However I fixed those problems at the
time, and there's no evidence that any unauthorized programs, e.g., proxies,
are now running. (No, there are no rootkits installed, nor is the ps binary
compromised, etc. I'm well aware of such possibilities.) Perhaps the
machine was just added to a list of potentially vulnerable servers, and
someone else is trying to take advantage of me, even though it's no longer
FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
exploits only work if there is an open http proxy available, no?
- application/x-pkcs7-signature attachment: smime.p7s