Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Attempts to push spam through apache

from [Gite, Ashish (Security Consultancy)] Network Security [Permanent Link]
Subject: RE: Attempts to push spam through apache
Date: Sun, 22 Aug 2004 12:25:13 +0530 
Hi,

Following links might be related, you might want to read -

Spammers use open Apache proxies
http://www.apacheweek.com/issues/03-07-25#security

Controlling access to your proxy
http://httpd.apache.org/docs/mod/mod_proxy.html#access


#Ashish


-----Original Message-----
From: Peter H. Lemieux [mailto:phl@cyways.com] 
Sent: Thursday, August 19, 2004 7:26 PM
To: focus-linux@securityfocus.com
Subject: Attempts to push spam through apache

My apache logs are recently full of entries like these:

211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25 
HTTP/1.0" 200 1844

Obviously this is an effort to pump spam through my server to 208.17.33.40. 
  There are many other target addresses as well.

If I telnet to port 80 and enter the HTTP command

        CONNECT 208.17.33.40:25 HTTP/1.0

the server replies with the 1844-byte home page of this site, as indicated 
by the "200 1844" part of the log entry.  As far as I can tell, this means 
that these exploit attempts only get a web page in reply and are not able to

push the spam through to the intended target.

I don't have mod_proxy enabled or anything else that would enable proxying 
to work.  Are these just random spammer attempts to find an open proxy?  The

fact that there are nearly 35,000 (!) such entries over the past few days 
suggests that the spammer, or the spammer's software, thinks this exploit is

succeeding.  How can I be sure that it's not?

I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be certain 
that others can't use the same exploit.  I tried a variety of Google 
searches but haven't found a useful page to read on this subject.

Some months ago someone used the recent mod_ssl vulnerability and managed to

install an IRC proxy on this server.  However I fixed those problems at the 
time, and there's no evidence that any unauthorized programs, e.g., proxies,

are now running.  (No, there are no rootkits installed, nor is the ps binary

compromised, etc.  I'm well aware of such possibilities.)  Perhaps the 
machine was just added to a list of potentially vulnerable servers, and 
someone else is trying to take advantage of me, even though it's no longer 
possible?

FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types of 
exploits only work if there is an open http proxy available, no?


Peter

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Attempts to push spam through apache, Adrian Popescu
Next by Date:  Attempts to push spam through apache, Peter H. Lemieux
Previous by Thread:  LIDS 1.2.2rc2 for Linux kernel 2.4.27 released, Yusuf Wilajati Purna
Next by Thread:  Attempts to push spam through apache, Peter H. Lemieux
Indexes:  [Date] [Thread] [Top] [All Lists]