From: Matti Airas (mairasiki.fi)
Date: Mon Oct 20 2003 - 05:51:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

It seems that after upgrading Apache modules of my cooker computer to
2.0.47-8mdk on October 13th, an unlimited http proxy was opened in my
Apache. It was of course subsequently found and used to spew tons of
spam around.

What were the changes made to apache2 2.0.47-8mdk packages that might
have made such a change in mod_proxy? It seems that I already previously
had mod_proxy erroneusly loaded but not used or configured. I think it
was now turned on during the rpm upgrade, however.

In httpd2.conf I have:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

In commonhttpd.conf there is a commented out example entry for mod_proxy
configuration. Yet, server-status shows:

Module Name: mod_proxy.c
Current Configuration:
        ProxyRequests On
        ProxyVia On

It seems the proxy was used first as a regular web proxy (!) by some
Chinese-speaking fellow interested in Q3A web forums, but later to send
spam through our internal mail server. An excerpt of the HTTP request
(captured by Ethereal) is given below:

POST http://130.233.32.17:25/ HTTP/1.1.
Content-type: application/octet-stream.
Content-length: 2653.
Host: 130.233.32.17.
.
HELO mail.hotnetspread.us.
MAIL FROM:<mogalonemidkeygroup.us>.
RCPT TO: <pentab7aol.com>.
RCPT TO: <tjhedaol.com>.
<etc.>

The SMTP server then gives error on the HTTP headers, but then happily
accepts the SMTP message within, and sends the spam.

Does anyone have any insight on what has happened and why?

Best regards,

Matti Airas

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]