|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [discuss] Apache2 proxy open relay
From: gene (gene01
smalltime.com)
Date: Wed Oct 22 2003 - 02:37:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I just got home from a long weekend to find someone was using my server
as an open proxy as well. I had a couple thousand lines like this in
my log:
67.64.143.73 - - [21/Oct/2003:00:17:11 -0700] "POST
http://64.81.243.127:25/ HTTP/1.1" 200 823 "-" "-"
In /etc/httpd/conf.d/ I have a file called 99_local.conf which contains
the line
ProxyRequests Off
I discovered that this was being overriden by the "ProxyRequests On"
buried in commonhttpd.conf which gets loaded after the conf.d/* files
On Tuesday, October 21, 2003, at 11:05 AM, Vincent Danen wrote:
> On Mon Oct 20, 2003 at 01:51:28PM +0300, Matti Airas wrote:
>
>> It seems that after upgrading Apache modules of my cooker computer to
>> 2.0.47-8mdk on October 13th, an unlimited http proxy was opened in my
>> Apache. It was of course subsequently found and used to spew tons of
>> spam around.
>>
>> What were the changes made to apache2 2.0.47-8mdk packages that might
>> have made such a change in mod_proxy? It seems that I already
>> previously
>> had mod_proxy erroneusly loaded but not used or configured. I think it
>> was now turned on during the rpm upgrade, however.
>>
>> In httpd2.conf I have:
>> LoadModule proxy_module modules/mod_proxy.so
>> LoadModule proxy_http_module modules/mod_proxy_http.so
>>
>> In commonhttpd.conf there is a commented out example entry for
>> mod_proxy
>> configuration. Yet, server-status shows:
>>
>> Module Name: mod_proxy.c
>> Current Configuration:
>> ProxyRequests On
>> ProxyVia On
>>
>> It seems the proxy was used first as a regular web proxy (!) by some
>> Chinese-speaking fellow interested in Q3A web forums, but later to
>> send
>> spam through our internal mail server. An excerpt of the HTTP request
>> (captured by Ethereal) is given below:
>>
>> POST http://130.233.32.17:25/ HTTP/1.1.
>> Content-type: application/octet-stream.
>> Content-length: 2653.
>> Host: 130.233.32.17.
>> .
>> HELO mail.hotnetspread.us.
>> MAIL FROM:<mogalonemidkeygroup.us>.
>> RCPT TO: <pentab7aol.com>.
>> RCPT TO: <tjhedaol.com>.
>> <etc.>
>>
>> The SMTP server then gives error on the HTTP headers, but then happily
>> accepts the SMTP message within, and sends the spam.
>>
>> Does anyone have any insight on what has happened and why?
>
> I can't duplicate this because apache chokes when I do the HELO part.
> But,
> can you do this for me and let me know if it corrects the problem?
>
> Edit /etc/httpd/conf.d/30_mod_proxy.conf and after ProxyRequests On
> put:
>
> <Proxy *>
> Order deny,allow
> Deny from all
> </Proxy>
>
> Does that prevent this from happening? It could just be that there is
> no
> permission checks by default (bad) so we should disallow the proxy from
> operating by default instead with the above.
>
> I'll fiddle some more, but if you can tell me if that fixes the
> problem that
> would be very helpful.
>
> --
> MandrakeSoft Security; http://www.mandrakesecure.net/
> Online Security Resource Book; http://linsec.ca/
> "lynx -source http://linsec.ca/vdanen.asc | gpg --import"
> {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
>
> <mime-attachment>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]