apache httpd as spam source
Results 1 to 10 of 10

Thread: apache httpd as spam source

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    2

    Question apache httpd as spam source

    When I read my apache access log, I found thise strange lines :
    200.51.38.2 - - [01/Sep/2004:21:41:55 +0700] "POST http://200.51.38.2:25/ HTTP/1.0" 200 1114 "-" "-"
    168.61.4.12 - - [01/Sep/2004:22:56:03 +0700] "POST http://168.61.5.196:25/ HTTP/1.0" 200 1114 "-" "-"
    1

    As far as I know, these lines told us that my apache server is used by somebody on 200.51.38.2 and 168.61.4.12, posting something to another smtp server, and the smtp server replies OK. Is this a new way to send spam ? anybody can tell how to fix this ?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think your Apache is misconfigured..... Don't ask me a darned thing about it because I don't know anything about Apache. But I was reading up on a specific Honeypot project just the other day where they set out a Honeyproxy using Apache misconfigured so that it would relay requests.

    The first response in this google search gives the actual incident but what I was reading was a different document about the same thing. It showed how the misconfiguration was done. Maybe it's buried in some of the other responses too.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    If you run PHP on Apache, their is a php function that can be use to send email if your Apache configuration is not done correctly. I don't know a lot about Apache also but your best bet would be to disabled the function in your Apache config file!
    -Simon \"SDK\"

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Re: apache httpd as spam source

    The columns are as such:
    <source ip> <identd> <username> <date> <request> <method> <return code> <bytes> <referer> <client>

    Originally posted here by spyderman202020
    When I read my apache access log, I found thise strange lines :
    200.51.38.2 - - [01/Sep/2004:21:41:55 +0700] "POST http://200.51.38.2:25/ HTTP/1.0" 200 1114 "-" "-"
    168.61.4.12 - - [01/Sep/2004:22:56:03 +0700] "POST http://168.61.5.196:25/ HTTP/1.0" 200 1114 "-" "-"
    1

    As far as I know, these lines told us that my apache server is used by somebody on 200.51.38.2 and 168.61.4.12, posting something to another smtp server, and the smtp server replies OK. Is this a new way to send spam ? anybody can tell how to fix this ?
    A couple of questions:

    1) Do you have PHP on this server?
    2) Do you have mod_rewrite or mod_proxy installed in Apache?

    I almost wonder whether you haven't typo'd something in a php script on your webserver...regardless, I have seen Apache used to proxy traffic, either as a result of having mod_proxy running and/or allowing the CONNECT method; however, the traffic you are showing doesn't match with that. If you haven't done it already, you should consider limiting the methods allowed on the web server:

    You can use the <LimitExcept> method in the configuration file to limit access, I have something along the lines of :
    Code:
        AllowOverride None
        <LimitExcept POST GET OPTIONS>
         ..
         ..
        </LimitExcept>
    This limits access to the web server only to OPTIONS (to see whats allowed) and GET/POST.

    I guess I will wait to see what your answer to mod_proxy and PHP are before rambling on anymore
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You've (mis?)configured your Apache to run as a proxy. You've also enabled your proxy for the whole world to enjoy.

    This is a sure way of getting your Internet account nuked by your provider!

    For more info see this thread on Bugtraq:
    http://www.securityfocus.com/archive...1/2003-07-27/0
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It should not accept such requests at all unless it's configured to act as a proxy (Which is not the default).

    If it's configured to act as a proxy, you should probably have some better security on it which does not allow people to do the above.

    Check that your proxy server settings are right.

    Slarty

  7. #7
    Junior Member
    Join Date
    Jun 2004
    Posts
    2

    Talking Thanks

    Thanks guys,
    It looks like I have misconfigured my apache server, allowing mod_proxy and mod_rewrite module to be activated, although I do not need them right now.
    But if I need them in the future, this should be only active for GET method only, just as nebulus200 said.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Well, if you want to run a proxy for your users you should also enable POST. Otherwise your users might run into trouble when filling out a webform.

    But you should restrict who can use your proxy. It should only be accessable by your users, not the entire big bad Internet.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    spyderman202020, you should allow the methods that I mentioned. POST is a normal operation that will be needed if you run any kind of forms on your webserver (you could use GET, but using POST is common as well, but if you aren't sure, go ahead and run it). GET is an absolute requirement, you do want to serve pages right ? I would also go ahead and run OPTIONS, alot of web clients will issue this request first to figure out what is allowed and if you have limited it like suggested, telling them it is limited is IMHO, ok

    Anyway, be careful limiting the methods, you can down yourself very quickly if you don't know too well what is going on
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Junior Member
    Join Date
    Oct 2004
    Posts
    1
    I have the same problem, look at my access log :

    4.227.109.221 - - [12/Oct/2004:13:59:23 +0700] "POST http://x.x.x.x:25/ HTTP/1.1" 200 7042 "-" "-"

    I use apache httpd 2.0.48 as I got from Mandrake Linux 9.2 (I know I should upgrade to 2.0.52 ;-> I plan it next day), but the strange condition is I never load proxy module or rewrite module. I need to know more what is wrong, for I am afraid it will happen again although I upgrade to the new version.
    This is my configuration :

    LoadModule access_module modules/mod_access.so
    LoadModule auth_module modules/mod_auth.so
    LoadModule auth_anon_module modules/mod_auth_anon.so
    ##LoadModule auth_dbm_module modules/mod_auth_dbm.so
    LoadModule auth_digest_module modules/mod_auth_digest.so
    ##LoadModule charset_lite_module modules/mod_charset_lite.so
    ##LoadModule case_filter_module modules/mod_case_filter.so
    ##LoadModule case_filter_in_module modules/mod_case_filter_in.so
    ##LoadModule ext_filter_module modules/mod_ext_filter.so
    LoadModule include_module modules/mod_include.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule logio_module modules/mod_logio.so
    LoadModule env_module modules/mod_env.so
    ##LoadModule mime_magic_module modules/mod_mime_magic.so
    ##LoadModule cern_meta_module modules/mod_cern_meta.so
    LoadModule expires_module modules/mod_expires.so
    #LoadModule headers_module modules/mod_headers.so
    LoadModule usertrack_module modules/mod_usertrack.so
    ##LoadModule unique_id_module modules/mod_unique_id.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule mime_module modules/mod_mime.so
    LoadModule status_module modules/mod_status.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule asis_module modules/mod_asis.so
    LoadModule info_module modules/mod_info.so
    LoadModule cgi_module modules/mod_cgi.so
    ##LoadModule cgid_module modules/mod_cgid.so
    LoadModule vhost_alias_module modules/mod_vhost_alias.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule dir_module modules/mod_dir.so
    #LoadModule imap_module modules/mod_imap.so
    #LoadModule actions_module modules/mod_actions.so
    ##LoadModule speling_module modules/mod_speling.so
    LoadModule userdir_module modules/mod_userdir.so
    LoadModule alias_module modules/mod_alias.so
    #LoadModule rewrite_module modules/mod_rewrite.so

    Is there any other modules should be disabled too ?

    Compiled in modules:
    core.c
    prefork.c
    http_core.c
    mod_so.c

    Please help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •