Re: Attempts to push spam through apache

From: Adrian Popescu (adixpope_at_rdsnet.ro)
Date: 08/22/04

  • Next message: Wayne Frazee: "Re: Attempts to push spam through apache"
    To: focus-linux@securityfocus.com
    Date: Sun, 22 Aug 2004 12:09:50 +0300
    
    

    On Friday 20 August 2004 04:26, Peter H. Lemieux wrote:
    > My apache logs are recently full of entries like these:
    >
    > 211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    > HTTP/1.0" 200 1844
    >
    > Obviously this is an effort to pump spam through my server to 208.17.33.40.
    > There are many other target addresses as well.
    >
    > If I telnet to port 80 and enter the HTTP command
    >
    > CONNECT 208.17.33.40:25 HTTP/1.0
    >
    > the server replies with the 1844-byte home page of this site, as indicated
    > by the "200 1844" part of the log entry. As far as I can tell, this means
    > that these exploit attempts only get a web page in reply and are not able
    > to push the spam through to the intended target.
    >
    > I don't have mod_proxy enabled or anything else that would enable proxying
    > to work. Are these just random spammer attempts to find an open proxy?
    > The fact that there are nearly 35,000 (!) such entries over the past few
    > days suggests that the spammer, or the spammer's software, thinks this
    > exploit is succeeding. How can I be sure that it's not?
    >
    > I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
    > that others can't use the same exploit. I tried a variety of Google
    > searches but haven't found a useful page to read on this subject.
    >
    > Some months ago someone used the recent mod_ssl vulnerability and managed
    > to install an IRC proxy on this server. However I fixed those problems at
    > the time, and there's no evidence that any unauthorized programs, e.g.,
    > proxies, are now running. (No, there are no rootkits installed, nor is the
    > ps binary compromised, etc. I'm well aware of such possibilities.)
    > Perhaps the machine was just added to a list of potentially vulnerable
    > servers, and someone else is trying to take advantage of me, even though
    > it's no longer possible?
    >
    > FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
    > exploits only work if there is an open http proxy available, no?
    >
    >
    > Peter

    Something is wrong ; if there is no proxying, you should get from
    your server something like ... Method not allowed (not some other page)

    To "be shure" nobody succeds put in your "Main" section in httpd.conf
    (this will apply to VirtualHosts too ; if you have any)
    <Location />
       <Limit CONNECT>
        Order deny,allow
        Deny from all
       </Limit>
    </Location>

    This will generate some extra logging in error_log file.
    I also have some attempts in my access_log, but 35000 entries
    could mean something is happening.

    here is a link with a bug , even if mod_proxy is disabled:
    http://bugs.php.net/bug.php?id=19113

    About the openssl problem ...
    >No, there are no rootkits installed
    I wouldn't be so shure about that :-)
    But anyway , if there were they wouldn't log into apache logs

    If he/she got root ; it doesent mater if "ps" is unmodified;
    processes can be hidden , and log files played with

    use "chkrootkit" tool , or other programs (run it a couple of times).
    Also look in /tmp or other places where Apache (User/Group)
    are able to write and see if there is any trace left.


  • Next message: Wayne Frazee: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: DCOM Error in log
      ... So it doesnt seem to be a problem isolated to my server. ... The entries in the log appears at non-regular intervals, ... > search of the registry for the AppId (without the curly ... >> Peter L ...
      (microsoft.public.windows.server.security)
    • Re: Strange CONNECT entries in apache logs
      ... Subject: AW: Strange CONNECT entries in apache logs ... I find some of this requests in my logs too; ... My apache server answers with 400 or 405 on this ...
      (Incidents)
    • Attempts to push spam through apache
      ... My apache logs are recently full of entries like these: ... Obviously this is an effort to pump spam through my server to 208.17.33.40. ...
      (Focus-Linux)
    • Re: File system full?
      ... On Thursday 01 January 2004 10:15 pm, Scott W wrote: ... > stays up as a server and runs any public services- apache logs and even ... > messages log files can fill up /var relatively quickly, ...
      (freebsd-questions)
    • apache config question - China IPs
      ... I've been watching the apache logs on a website I work on and have ... seen strange entries recently. ... that is hitting on my Apache server can be traced back to China. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)