Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Attempts to push spam through apache

from [Andy Smith] Network Security [Permanent Link]
Subject: Re: Attempts to push spam through apache
Date: Sat, 21 Aug 2004 23:36:07 -0500
If the machine was compromised once then it is likely published somewhere...if you are lucky. If you are not lucky then someone has managed to install something more stealthy and evil than an IRC proxy. Taking the machine down to bare metal might not be a bad idea. If at all possible change the IP and DNS names whether it is nuked and paved over or not. The log entries could mean nothing, or they could mean something nasty is lurking on the box. IMHO you have to assume the latter.

Regards,
Andy

Peter H. Lemieux wrote: 
My apache logs are recently full of entries like these:

211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25 HTTP/1.0" 200 1844

Obviously this is an effort to pump spam through my server to 208.17.33.40. There are many other target addresses as well.

If I telnet to port 80 and enter the HTTP command

    CONNECT 208.17.33.40:25 HTTP/1.0

the server replies with the 1844-byte home page of this site, as indicated by the "200 1844" part of the log entry. As far as I can tell, this means that these exploit attempts only get a web page in reply and are not able to push the spam through to the intended target.

I don't have mod_proxy enabled or anything else that would enable proxying to work. Are these just random spammer attempts to find an open proxy? The fact that there are nearly 35,000 (!) such entries over the past few days suggests that the spammer, or the spammer's software, thinks this exploit is succeeding. How can I be sure that it's not?

I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain that others can't use the same exploit. I tried a variety of Google searches but haven't found a useful page to read on this subject.

Some months ago someone used the recent mod_ssl vulnerability and managed to install an IRC proxy on this server. However I fixed those problems at the time, and there's no evidence that any unauthorized programs, e.g., proxies, are now running. (No, there are no rootkits installed, nor is the ps binary compromised, etc. I'm well aware of such possibilities.) Perhaps the machine was just added to a list of potentially vulnerable servers, and someone else is trying to take advantage of me, even though it's no longer possible?

FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of exploits only work if there is an open http proxy available, no?


Peter



--
--------------------------
Andy Smith, MCP
wasmith32@earthlink.net
--------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: can Hopster traffic be blocked?, Stefan Osterlitz
Next by Date:  Re: Attempts to push spam through apache, Gabriel Orozco
Previous by Thread:  Attempts to push spam through apache, Peter H. Lemieux
Next by Thread:  Re: Attempts to push spam through apache, Gabriel Orozco
Indexes:  [Date] [Thread] [Top] [All Lists]