RE: Attempts to push spam through apache

From: Gite, Ashish (Security Consultancy) (ashish.gite_at_hp.com)
Date: 08/22/04

  • Next message: Adrian Popescu: "Re: Attempts to push spam through apache"
    Date: Sun, 22 Aug 2004 12:25:13 +0530
    To: <focus-linux@securityfocus.com>
    
    
    

    Hi,

    Following links might be related, you might want to read -

    Spammers use open Apache proxies
    http://www.apacheweek.com/issues/03-07-25#security

    Controlling access to your proxy
    http://httpd.apache.org/docs/mod/mod_proxy.html#access

    #Ashish

    -----Original Message-----
    From: Peter H. Lemieux [mailto:phl@cyways.com]
    Sent: Thursday, August 19, 2004 7:26 PM
    To: focus-linux@securityfocus.com
    Subject: Attempts to push spam through apache

    My apache logs are recently full of entries like these:

    211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    HTTP/1.0" 200 1844

    Obviously this is an effort to pump spam through my server to 208.17.33.40.
      There are many other target addresses as well.

    If I telnet to port 80 and enter the HTTP command

            CONNECT 208.17.33.40:25 HTTP/1.0

    the server replies with the 1844-byte home page of this site, as indicated
    by the "200 1844" part of the log entry. As far as I can tell, this means
    that these exploit attempts only get a web page in reply and are not able to

    push the spam through to the intended target.

    I don't have mod_proxy enabled or anything else that would enable proxying
    to work. Are these just random spammer attempts to find an open proxy? The

    fact that there are nearly 35,000 (!) such entries over the past few days
    suggests that the spammer, or the spammer's software, thinks this exploit is

    succeeding. How can I be sure that it's not?

    I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
    that others can't use the same exploit. I tried a variety of Google
    searches but haven't found a useful page to read on this subject.

    Some months ago someone used the recent mod_ssl vulnerability and managed to

    install an IRC proxy on this server. However I fixed those problems at the
    time, and there's no evidence that any unauthorized programs, e.g., proxies,

    are now running. (No, there are no rootkits installed, nor is the ps binary

    compromised, etc. I'm well aware of such possibilities.) Perhaps the
    machine was just added to a list of potentially vulnerable servers, and
    someone else is trying to take advantage of me, even though it's no longer
    possible?

    FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    exploits only work if there is an open http proxy available, no?

    Peter

    
    



  • Next message: Adrian Popescu: "Re: Attempts to push spam through apache"