Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Attempts to push spam through apache

from [Gabriel Orozco] Network Security [Permanent Link]
Subject: Re: Attempts to push spam through apache
Date: Sat, 21 Aug 2004 23:51:47 -0500 
Same thing happening with a client of mine, but with hundreds of different 
clients. we had mod_proxy enabled there, but disabling it didn't helped at 
all.

I was forced to shutdown apache. it's the 1.3.27 version that came with SuSE 
9.1, with all the updates it continues being 1.3.27.

I know there are other, newer apache versions, but SuSE doesn't have them. I 
disabled apache until the client authorizes the fix proposed (upgrade from 
sources).

I surf the web for this vulnerability but nothing found.

Is anybody aware of this?

Regards
Gabriel


El Jue 19 Ago 2004 8:26 PM, Peter H. Lemieux escribió:

My apache logs are recently full of entries like these:

211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
HTTP/1.0" 200 1844

Obviously this is an effort to pump spam through my server to 208.17.33.40.
  There are many other target addresses as well.

If I telnet to port 80 and enter the HTTP command

      CONNECT 208.17.33.40:25 HTTP/1.0

the server replies with the 1844-byte home page of this site, as indicated
by the "200 1844" part of the log entry.  As far as I can tell, this means
that these exploit attempts only get a web page in reply and are not able
to push the spam through to the intended target.

I don't have mod_proxy enabled or anything else that would enable proxying
to work.  Are these just random spammer attempts to find an open proxy? 
The fact that there are nearly 35,000 (!) such entries over the past few
days suggests that the spammer, or the spammer's software, thinks this
exploit is succeeding.  How can I be sure that it's not?

I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain
that others can't use the same exploit.  I tried a variety of Google
searches but haven't found a useful page to read on this subject.

Some months ago someone used the recent mod_ssl vulnerability and managed
to install an IRC proxy on this server.  However I fixed those problems at
the time, and there's no evidence that any unauthorized programs, e.g.,
proxies, are now running.  (No, there are no rootkits installed, nor is the
ps binary compromised, etc.  I'm well aware of such possibilities.) 
Perhaps the machine was just added to a list of potentially vulnerable
servers, and someone else is trying to take advantage of me, even though
it's no longer possible?

FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of
exploits only work if there is an open http proxy available, no?


Peter
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Attempts to push spam through apache, Andy Smith
Next by Date:  Re: Attempts to push spam through apache, Peter H. Lemieux
Previous by Thread:  Re: Attempts to push spam through apache, Andy Smith
Next by Thread:  Re: Attempts to push spam through apache, David Benfell
Indexes:  [Date] [Thread] [Top] [All Lists]