[HLUG] Ref using my machine as a relay!!

Alex Mace alex at hollytree.co.uk
Wed Apr 26 18:11:18 BST 2006 

That seems quite likely to me - CONNECT is apparently reserved for a
connection that can switch to being a tunnel, so it's probably someone
looking for an open HTTP tunnel that they can use to connect to a mail
server for whatever reason. Probably to send some spam out. However if
PHP is catching the CONNECT method that you shouldn't have anything to
worry about.

Alex

-----Original Message-----
From: herefordshire-bounces at mailman.lug.org.uk
[mailto:herefordshire-bounces at mailman.lug.org.uk] On Behalf Of John
Hedges
Sent: 26 April 2006 12:52
To: Herefordshire Linux Users Group.
Subject: Re: [HLUG] Ref using my machine as a relay!!


> > I run an apache webserver on my machine as I host 4 websites. I 
> > think I am having a problem with someone relaying data through 
> > apache although I dont have the proxy mod installed. I wont atache 
> > the whole log file but the relevent parts.
> >
> > www.kungfu.dyndns.org 212.95.252.16 - - [12/Mar/2006:02:25:10 +0000]

> > "GET / HTTP/1.0" 200 1593 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
> > Windows NT 5.1)"
> >
> >
> > 192.168.0.4 59.104.55.168 - - [20/Mar/2006:04:54:58 +0000] "CONNECT 
> > 210.200.181.194:25 HTTP/1.0" 200 16249 "-" "-" 192.168.0.4 
> > 59.104.55.168 - - [20/Mar/2006:04:55:03 +0000] "CONNECT 
> > 210.200.181.194:25 HTTP/1.0" 200 16249 "-" "-" 192.168.0.4 
> > 59.104.55.168 - - [20/Mar/2006:04:55:13 +0000] "CONNECT 
> > 210.200.181.193:25 HTTP/1.0" 200 16249 "-" "-"
> 
> These messages indicate that someone is connecting to your webserver 
> and use the CONNECT method to connect to remote mailserver.  The fact 
> that it's returning 200 is a concern however if mod_proxy is not 
> loaded then I can't see how it suceeded.  I would have a go myself but

> the myriad of firewalls and proxies here at work won't allow it, I'll 
> try at home later.
> 
> One thing you can try yourself is:
> 
> $ telnet www.kungfu.dyndns.org 80
> 
> Then type
> 
> CONNECT 210.200.181.193:25 HTTP/1.0
> 
> and press return twice.  Then post the result back to the list.

This could be an issue with PHP handling all requests regardless of the
method and returning a default page for your installation. Here are a
couple of links from a google search 'apache php connect method'
describing possible workarounds.

http://mail-archives.apache.org/mod_mbox/httpd-users/200506.mbox/%3C8C29
B2F93BAE9047A906EF6D6F9C5D4330766E at exchange2k301.gaia.fr%3E
http://bugs.php.net/bug.php?id=19113

It doesn't seem to pose a security threat, despite the misleading log
messages.

Cheers

John




_______________________________________________
Herefordshire mailing list
Herefordshire at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/herefordshire

More information about the Herefordshire mailing list