Re: sending out spam through IRC server ?

From: Bronek Kozicki (brok@rubikon.pl)
Date: 03/06/03

  • Next message: Johannes Ullrich: "Re: TCP 445 Scan?"
    From: "Bronek Kozicki" <brok@rubikon.pl>
    To: <incidents@securityfocus.com>
    Date: Thu, 6 Mar 2003 16:39:02 +0100
    
    

    Bronek Kozicki <brok@rubikon.pl> wrote:
    [...]

    OK, problem resolved. Thanks all for help. Things were bit more
    complicated than I was thinking, or rather I missed two important pieces
    of the puzzle.

    First piece is that we are running on the same W2K machine Apache .
    Shame on me, I have not noticed it before, because it was bound to
    different IP than the one reported in spam (you can run both IIS and
    Apache on port 80 of one machine, is you disable IIS ConnectionPooling
    and use different IPs). Anyway this Apache is configured as proxy to
    some other host, using ProxyPass directive. Some of my colleagues also
    configured ProxyRequest On, making this server an open proxy. Bad, bad
    thing, and I was just sure that such stupid mistake cannot happen in my
    network :( Because this Apache is bound to different IP, I just missed
    it when searching for possible hole. Well, IP accepting connections does
    not have to be the same as IP of outgoing connections, and when you add
    static NAT and PAT to the picture then it's easy to miss something (this
    is the other piece).

    Spammers "enjoyed" it for 2 weeks, and I will be forever gratefull to
    spamcop.net and anonymous spam recipients, who notified me about the
    problem. Interesting thing is, that this server was an open proxy for
    much longer time than 2 weeks, and suddenly many spammers became aware
    of it on Feb 18th. I guess some "spam software seller" scanned it and
    inserted into database. If anybody is interested, I can disclose more
    details (like IPs of spammers who abused my server).

    What helped me was network scanner - I logged TCP connections directed
    to port 25 of the outside world servers (like legitimate SMTP traffic),
    then found out that some requests had HTTP headers before "HELO"
    command.

    B.

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>


  • Next message: Johannes Ullrich: "Re: TCP 445 Scan?"

    Relevant Pages

    • RE: [PHP] Re: Understanding persistent connections with oci8
      ... networking support for over 15 years. ... system or none to these connections, and they will stay around for hours ... the Apache server. ... The HP-UX Apache web server only provides the worker MPM so in order to ...
      (php.general)
    • Re: Slow connection to Oracle 9i
      ... Each Apache process runs one perl instance. ... 'caches' all DBI connections using the connect params as the key. ... Then you will get a maximum of 50 open connections on server A, ...
      (perl.dbi.users)
    • RE: [PHP] Re: Understanding persistent connections with oci8
      ... persistent connections by making connections to a non-oracle-db request ... been to restart apache. ... And I can redo the test with just one server ... making a new non-oracle-db request. ...
      (php.general)
    • Many sockets in SYN_SENT state
      ... I have been trying to diagnose this problem for several days now, ... My system is a linux server functioning as web server. ... After running apache for a couple of hours, ... I started getting my SYN_SENT connections. ...
      (comp.os.linux.networking)
    • Re: SBS 2003 IIS BASED SERVICES FAIL INTERMITTENTLY
      ... If I read your post correctly, you have a switch where the SBS ... Run DHCP server on your SBS, and set all client machine nics to dynamic. ... Once you have your nics configured, run the Connect to the Internet wizard, ... QUESTION1 - what is REFUSING CONNECTIONS? ...
      (microsoft.public.windows.server.sbs)