apache httpd as spam source

Printable View

September 17th, 2004, 08:30 AM
spyderman202020

apache httpd as spam source

When I read my apache access log, I found thise strange lines :
200.51.38.2 - - [01/Sep/2004:21:41:55 +0700] "POST http://200.51.38.2:25/ HTTP/1.0" 200 1114 "-" "-"
168.61.4.12 - - [01/Sep/2004:22:56:03 +0700] "POST http://168.61.5.196:25/ HTTP/1.0" 200 1114 "-" "-"
1

As far as I know, these lines told us that my apache server is used by somebody on 200.51.38.2 and 168.61.4.12, posting something to another smtp server, and the smtp server replies OK. Is this a new way to send spam :mad: ? anybody can tell how to fix this ?
September 17th, 2004, 10:49 AM
Tiger Shark

I think your Apache is misconfigured..... Don't ask me a darned thing about it because I don't know anything about Apache. But I was reading up on a specific Honeypot project just the other day where they set out a Honeyproxy using Apache misconfigured so that it would relay requests.

The first response in this google search gives the actual incident but what I was reading was a different document about the same thing. It showed how the misconfiguration was done. Maybe it's buried in some of the other responses too.
September 17th, 2004, 02:17 PM
SDK

If you run PHP on Apache, their is a php function that can be use to send email if your Apache configuration is not done correctly. I don't know a lot about Apache also but your best bet would be to disabled the function in your Apache config file!
September 17th, 2004, 02:28 PM
nebulus200

Re: apache httpd as spam source

The columns are as such:
<source ip> <identd> <username> <date> <request> <method> <return code> <bytes> <referer> <client>

Quote:

Originally posted here by spyderman202020
When I read my apache access log, I found thise strange lines :
200.51.38.2 - - [01/Sep/2004:21:41:55 +0700] "POST http://200.51.38.2:25/ HTTP/1.0" 200 1114 "-" "-"
168.61.4.12 - - [01/Sep/2004:22:56:03 +0700] "POST http://168.61.5.196:25/ HTTP/1.0" 200 1114 "-" "-"
1

As far as I know, these lines told us that my apache server is used by somebody on 200.51.38.2 and 168.61.4.12, posting something to another smtp server, and the smtp server replies OK. Is this a new way to send spam :mad: ? anybody can tell how to fix this ?

A couple of questions:

1) Do you have PHP on this server?
2) Do you have mod_rewrite or mod_proxy installed in Apache?

I almost wonder whether you haven't typo'd something in a php script on your webserver...regardless, I have seen Apache used to proxy traffic, either as a result of having mod_proxy running and/or allowing the CONNECT method; however, the traffic you are showing doesn't match with that. If you haven't done it already, you should consider limiting the methods allowed on the web server:

You can use the <LimitExcept> method in the configuration file to limit access, I have something along the lines of :

Code:

AllowOverride None <LimitExcept POST GET OPTIONS> .. .. </LimitExcept>

This limits access to the web server only to OPTIONS (to see whats allowed) and GET/POST.

I guess I will wait to see what your answer to mod_proxy and PHP are before rambling on anymore :)
September 20th, 2004, 10:49 AM
SirDice

You've (mis?)configured your Apache to run as a proxy. You've also enabled your proxy for the whole world to enjoy.

This is a sure way of getting your Internet account nuked by your provider!

For more info see this thread on Bugtraq:
http://www.securityfocus.com/archive...1/2003-07-27/0
September 20th, 2004, 11:17 AM
slarty

It should not accept such requests at all unless it's configured to act as a proxy (Which is not the default).

If it's configured to act as a proxy, you should probably have some better security on it which does not allow people to do the above.

Check that your proxy server settings are right.

Slarty
September 21st, 2004, 06:59 AM
spyderman202020

Thanks

Thanks guys,
It looks like I have misconfigured my apache server, allowing mod_proxy and mod_rewrite module to be activated, although I do not need them right now.
But if I need them in the future, this should be only active for GET method only, just as nebulus200 said.
September 21st, 2004, 09:41 AM
SirDice

Well, if you want to run a proxy for your users you should also enable POST. Otherwise your users might run into trouble when filling out a webform.

But you should restrict who can use your proxy. It should only be accessable by your users, not the entire big bad Internet.
September 21st, 2004, 03:21 PM
nebulus200

spyderman202020, you should allow the methods that I mentioned. POST is a normal operation that will be needed if you run any kind of forms on your webserver (you could use GET, but using POST is common as well, but if you aren't sure, go ahead and run it). GET is an absolute requirement, you do want to serve pages right ? :) I would also go ahead and run OPTIONS, alot of web clients will issue this request first to figure out what is allowed and if you have limited it like suggested, telling them it is limited is IMHO, ok :)

Anyway, be careful limiting the methods, you can down yourself very quickly if you don't know too well what is going on :)
October 12th, 2004, 09:17 AM
sholeh_setyawan

I have the same problem, look at my access log :

4.227.109.221 - - [12/Oct/2004:13:59:23 +0700] "POST http://x.x.x.x:25/ HTTP/1.1" 200 7042 "-" "-"

I use apache httpd 2.0.48 as I got from Mandrake Linux 9.2 (I know I should upgrade to 2.0.52 ;-> I plan it next day), but the strange condition is I never load proxy module or rewrite module. I need to know more what is wrong, for I am afraid it will happen again although I upgrade to the new version.
This is my configuration :

LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
##LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
##LoadModule charset_lite_module modules/mod_charset_lite.so
##LoadModule case_filter_module modules/mod_case_filter.so
##LoadModule case_filter_in_module modules/mod_case_filter_in.so
##LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
##LoadModule mime_magic_module modules/mod_mime_magic.so
##LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
#LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
##LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
##LoadModule cgid_module modules/mod_cgid.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule imap_module modules/mod_imap.so
#LoadModule actions_module modules/mod_actions.so
##LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so

Is there any other modules should be disabled too ?

Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

Please help.