|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Attempts to push spam through apache
From: Gabriel Orozco (gabriel_orozco
mx.sumida.com)
Date: Sat Aug 21 2004 - 23:51:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Same thing happening with a client of mine, but with hundreds of different
clients. we had mod_proxy enabled there, but disabling it didn't helped at
all.
I was forced to shutdown apache. it's the 1.3.27 version that came with SuSE
9.1, with all the updates it continues being 1.3.27.
I know there are other, newer apache versions, but SuSE doesn't have them. I
disabled apache until the client authorizes the fix proposed (upgrade from
sources).
I surf the web for this vulnerability but nothing found.
Is anybody aware of this?
Regards
Gabriel
El Jue 19 Ago 2004 8:26 PM, Peter H. Lemieux escribió:
> My apache logs are recently full of entries like these:
>
> 211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
> HTTP/1.0" 200 1844
>
> Obviously this is an effort to pump spam through my server to 208.17.33.40.
> There are many other target addresses as well.
>
> If I telnet to port 80 and enter the HTTP command
>
> CONNECT 208.17.33.40:25 HTTP/1.0
>
> the server replies with the 1844-byte home page of this site, as indicated
> by the "200 1844" part of the log entry. As far as I can tell, this means
> that these exploit attempts only get a web page in reply and are not able
> to push the spam through to the intended target.
>
> I don't have mod_proxy enabled or anything else that would enable proxying
> to work. Are these just random spammer attempts to find an open proxy?
> The fact that there are nearly 35,000 (!) such entries over the past few
> days suggests that the spammer, or the spammer's software, thinks this
> exploit is succeeding. How can I be sure that it's not?
>
> I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
> that others can't use the same exploit. I tried a variety of Google
> searches but haven't found a useful page to read on this subject.
>
> Some months ago someone used the recent mod_ssl vulnerability and managed
> to install an IRC proxy on this server. However I fixed those problems at
> the time, and there's no evidence that any unauthorized programs, e.g.,
> proxies, are now running. (No, there are no rootkits installed, nor is the
> ps binary compromised, etc. I'm well aware of such possibilities.)
> Perhaps the machine was just added to a list of potentially vulnerable
> servers, and someone else is trying to take advantage of me, even though
> it's no longer possible?
>
> FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
> exploits only work if there is an open http proxy available, no?
>
>
> Peter
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]