[Gllug] What's going on?

Adrian McMenamin Adrian.McMenamin at britainineurope.org.uk
Tue Nov 19 12:33:34 UTC 2002




On Tue, 2002-11-19 at 12:04, Jason Clifford wrote:
> > An entry like this has appeared twice in my apache server log in the
last 24
> > hours:
> > pool-141-150-114-101.mad.east.verizon.net - - [18/Nov/2002:08:26:41
+0000]
> > "CONNECT mx00.earthlink.net:25 HTTP/1.0" 405 302 "-" "-"
> > 
> > Earthlink say it is nothing to be concerned about (no reply from
verizon) -
> > but it looks very odd to me - why is someone trying to get our web
server to
> > attach themselves to their mail server?
> Indeed. This is a favoured tactic of many spammers.

yup spammers have moved on to hitting open CONNECT and SOCKS proxies in
preference to open smtp relays and they're harder to pin down and get
decent logging out of to determine the source of the spam.

[...]
> I do wonder why you are running a public web proxy. Do you really need to?
> If not set up your acls properly.

It's probably more a case of a default apache install with mod_proxy
included and (partially?) configured.  Certainly the response indicates
that it's been rejected properly, however it is going to be worth
removing the proxy functionality if it's not needed as certain other
'less savoury' types will use open web proxies for scanning for other
security holes or trying to download large amounts of copyright
infringing material or scamming off the likes of porn sites.  All using
someone else's bandwidth (nice people :/)


It is a default install -  though with all appropriate paches (as available
on rhn) applied. Mod_proxy is not loaded.

How can you tell (from this log) that we are running a public proxy (I am
not aware that we are - but I am not sysadmin here, simply running this
server as a test bed for other projects).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20021119/9ef4431e/attachment.html>


More information about the GLLUG mailing list