[HLUG] Ref using my machine as a relay!!

Andrew Hodgson andrew at hodgsonfamily.org
Wed Apr 26 19:04:25 BST 2006


Hi,

Yes, I have seen these sort of attacks work before and know the results.
It really doesn't look as if the system is proxying, and more likely it
is someone trying their luck.  Open HTTP proxies are one of the main
ways now of sending spam through.

I tried the connection from the address 81.2.105.214 connecting to
http://81.2.105.210:25 (my inbound SMTP machine), and got a HTML page
referring to PHPBB back at me.  You should see this in the logs.

Andrew.

-----Original Message-----
From: herefordshire-bounces at mailman.lug.org.uk
[mailto:herefordshire-bounces at mailman.lug.org.uk] On Behalf Of Alex Mace
Sent: 26 April 2006 18:17
To: 'Herefordshire Linux Users Group.'
Subject: RE: [HLUG] Ref using my machine as a relay!!

That seems quite likely to me - CONNECT is apparently reserved for a
connection that can switch to being a tunnel, so it's probably someone
looking for an open HTTP tunnel that they can use to connect to a mail
server for whatever reason. Probably to send some spam out. However if
PHP is catching the CONNECT method that you shouldn't have anything to
worry about.

Alex

-----Original Message-----
From: herefordshire-bounces at mailman.lug.org.uk
[mailto:herefordshire-bounces at mailman.lug.org.uk] On Behalf Of John
Hedges
Sent: 26 April 2006 12:52
To: Herefordshire Linux Users Group.
Subject: Re: [HLUG] Ref using my machine as a relay!!


> > I run an apache webserver on my machine as I host 4 websites. I 
> > think I am having a problem with someone relaying data through 
> > apache although I dont have the proxy mod installed. I wont atache 
> > the whole log file but the relevent parts.
> >
> > www.kungfu.dyndns.org 212.95.252.16 - - [12/Mar/2006:02:25:10 +0000]

> > "GET / HTTP/1.0" 200 1593 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
> > Windows NT 5.1)"
> >
> >
> > 192.168.0.4 59.104.55.168 - - [20/Mar/2006:04:54:58 +0000] "CONNECT 
> > 210.200.181.194:25 HTTP/1.0" 200 16249 "-" "-" 192.168.0.4 
> > 59.104.55.168 - - [20/Mar/2006:04:55:03 +0000] "CONNECT 
> > 210.200.181.194:25 HTTP/1.0" 200 16249 "-" "-" 192.168.0.4 
> > 59.104.55.168 - - [20/Mar/2006:04:55:13 +0000] "CONNECT 
> > 210.200.181.193:25 HTTP/1.0" 200 16249 "-" "-"
> 
> These messages indicate that someone is connecting to your webserver 
> and use the CONNECT method to connect to remote mailserver.  The fact 
> that it's returning 200 is a concern however if mod_proxy is not 
> loaded then I can't see how it suceeded.  I would have a go myself but

> the myriad of firewalls and proxies here at work won't allow it, I'll 
> try at home later.
> 
> One thing you can try yourself is:
> 
> $ telnet www.kungfu.dyndns.org 80
> 
> Then type
> 
> CONNECT 210.200.181.193:25 HTTP/1.0
> 
> and press return twice.  Then post the result back to the list.

This could be an issue with PHP handling all requests regardless of the
method and returning a default page for your installation. Here are a
couple of links from a google search 'apache php connect method'
describing possible workarounds.

http://mail-archives.apache.org/mod_mbox/httpd-users/200506.mbox/%3C8C29
B2F93BAE9047A906EF6D6F9C5D4330766E at exchange2k301.gaia.fr%3E
http://bugs.php.net/bug.php?id=19113

It doesn't seem to pose a security threat, despite the misleading log
messages.

Cheers

John




_______________________________________________
Herefordshire mailing list
Herefordshire at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/herefordshire


_______________________________________________
Herefordshire mailing list
Herefordshire at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/herefordshire



More information about the Herefordshire mailing list