On Mon, 10 Nov 2003 21:09:44 -0800 Todd Lyons <[EMAIL PROTECTED]> forwarded:
reviewing the logs, I have seen a large number of GETs in /var/log/httpd/*.log with verrrrrrrrrrrrry long pathnames and/or requests to xxx.xxx.xxx:25. I think that
is how they got in.
Not "in"; but "through"... I pointed this out to David in a private mail
along with the below quick test for proxying... Seems that using ":25" is
a twist that I hadn't seen; but then again, most of us have turned off
proxying after this was raised here months ago...
Part of my msg to David:Hmmm... wonder if this is related to the www relaying that can happen in an apache server... [testing your address...] port 80 is blocked... is this done by your ISP? The way to check for httpd relaying is simple: telnet <IP> 80 [connected messages] GET http://some.remote.site HTTP/1.0<enter> <enter>
Wow! The other day I got a nasty e-mail (in that it crashed opera when it tried to open it) from someone who has adsl with pacbell.net. The header said it was from my domain (which really p*ss*d me off.) So I just tried your relay test on this guy's ip address, and it worked.
Now, how do you tell the user? - that is, how do you find out who it is?
If the returned page is from some.remote.site, your server is an open relay... I've seen this long ago and suspected people were using this to bump hit-counters causing possible charges ($$) between target and advertiser. Dunno if this could be used to relay mail; but would not be surprised.
It appears that adding ":25" was a pretty simple hack to abuse the apache proxying... yet another reason for everyone to verify that mod-proxy is disabled....
Phil
-- Using Mandrake Linux 9.1 www.mandrakesoft.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
