RE: Attempts to push spam through apache

From: Gite, Ashish (Security Consultancy) (ashish.gite_at_hp.com)
Date: 08/22/04

  • Next message: Adrian Popescu: "Re: Attempts to push spam through apache"
    Date: Sun, 22 Aug 2004 12:25:13 +0530
    To: <focus-linux@securityfocus.com>
    
    
    

    Hi,

    Following links might be related, you might want to read -

    Spammers use open Apache proxies
    http://www.apacheweek.com/issues/03-07-25#security

    Controlling access to your proxy
    http://httpd.apache.org/docs/mod/mod_proxy.html#access

    #Ashish

    -----Original Message-----
    From: Peter H. Lemieux [mailto:phl@cyways.com]
    Sent: Thursday, August 19, 2004 7:26 PM
    To: focus-linux@securityfocus.com
    Subject: Attempts to push spam through apache

    My apache logs are recently full of entries like these:

    211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    HTTP/1.0" 200 1844

    Obviously this is an effort to pump spam through my server to 208.17.33.40.
      There are many other target addresses as well.

    If I telnet to port 80 and enter the HTTP command

            CONNECT 208.17.33.40:25 HTTP/1.0

    the server replies with the 1844-byte home page of this site, as indicated
    by the "200 1844" part of the log entry. As far as I can tell, this means
    that these exploit attempts only get a web page in reply and are not able to

    push the spam through to the intended target.

    I don't have mod_proxy enabled or anything else that would enable proxying
    to work. Are these just random spammer attempts to find an open proxy? The

    fact that there are nearly 35,000 (!) such entries over the past few days
    suggests that the spammer, or the spammer's software, thinks this exploit is

    succeeding. How can I be sure that it's not?

    I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
    that others can't use the same exploit. I tried a variety of Google
    searches but haven't found a useful page to read on this subject.

    Some months ago someone used the recent mod_ssl vulnerability and managed to

    install an IRC proxy on this server. However I fixed those problems at the
    time, and there's no evidence that any unauthorized programs, e.g., proxies,

    are now running. (No, there are no rootkits installed, nor is the ps binary

    compromised, etc. I'm well aware of such possibilities.) Perhaps the
    machine was just added to a list of potentially vulnerable servers, and
    someone else is trying to take advantage of me, even though it's no longer
    possible?

    FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    exploits only work if there is an open http proxy available, no?

    Peter

    
    



  • Next message: Adrian Popescu: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: Still after the apache spammer, more info
      ... running apache with 3 virtual hosts for the domains. ... All spam emails are sent by apache and accepted by sendmail ... > Darned maillog wraps pretty badly in here. ... > don't have a lsof to a file from the time. ...
      (comp.os.linux.security)
    • Re: Linux as mail/proxy server?
      ... > Obtuse Smtpd Mail Srv / Squid Proxy Srv) ... is a single box running RedHat. ... Remote offices connect to factory WAN with SonicWall VPN. ... But we only use the VPN to access company mail, apache document retrieval, ...
      (comp.os.linux.networking)
    • Re: Denial of Service
      ... Wie sind denn Deine MaxClients settings? ... Wenn Du apache nicht als proxy configuriert hast, ... meinen Server als Proxy zu verwenden. ...
      (de.comp.security.misc)
    • Re: how to always let Spam inspector access outlook email addresse
      ... I just wrote Brian Tillman that I fixed the bug by downloading Spam ... >> program and then say I want it always to be able to access Outlook ... > Does Spam Inspector have an option to run as a local proxy? ... > configure your e-mail client to connect through the local proxy and have ...
      (microsoft.public.outlook.general)
    • Re: Apache on Windows 2K - helllabs?
      ... > I was bopping along through my apache access log today and came across a ... I'm running an Apache server on ... It's somebody attempting to use your proxy to access a cgi-bin env checker ...
      (alt.computer.security)