I pride myself on taking care of my servers and trying to be a good citizen on the net. Imagine my horror then, when I checked my Webalizer logs on Saturday and found my Apache server had been hit nearly 16,000 times during the course of the day. I certainly don’t get that kind of traffic, so I took the server down and started investigating.

Here’s what I found:

82.80.252.154 - - [28/Aug/2004:04:13:21 +1000] “CONNECT 209.103.196.24:25 HTTP/1
.0″ 200 12437 “-” “-”
82.80.252.155 - - [28/Aug/2004:04:13:36 +1000] “CONNECT 206.190.36.244:25 HTTP/1
.0″ 200 12437 “-” “-”
82.80.252.155 - - [28/Aug/2004:04:13:36 +1000] “CONNECT 64.156.215.7:25 HTTP/1.0
” 200 12437 “-” “-”

Rinse and repeat, similar IP addresses, all through the day.

As you might know, port 25 is used for SMTP (Simple Mail Transport Protocol), and the 200 means the operation was successful. Without my knowledge or permission, my webserver had allowed a spammer to send thousands of junk emails. Immediately I started Googling. And… I didn’t find anything that fitted my situation.

Here’s what Redhat’s Apache site had to say:

Spammers use open Apache proxies

Over the last few weeks we’ve been receiving a number of reports where people running Apache servers have found that their servers have been used to send out Spam email messages.

It appears that the Spammers are using an automated tool to find open Apache proxies. If the tool finds an open proxy on your machine it sends a POST request through the proxy to the local SMTP port (25), passing on the spam messages it wishes to send. Since most people will have set up their mail transfer agent to allow relaying of mail sent from the local host, the messages get sent out from your machine.

Some of the reporters believe that this is a vulnerability of the Apache web server by allowing proxy connections to arbitrary ports. However the majoriry of sites that run open Apache proxies are doing so because of a misconfiguration rather than by design. Open proxies allow attackers wanting to target vulnerabilities at other sites (such as Cross site scripting attacks, SQL injection attacks and so on) to hide or complicate their real origin.

If you are running the Apache web server we’d recommend that you take a look at your configuration files and make sure that you have not inadvertently set up an open proxy.

If you do not need to act as a proxy server at all then make sure that the directive “ProxyRequests On” does not appear in your configuration file. Note that you do not need to use the ProxyRequests directive if you only want to use Apache as a reverse proxy.

However ifyou do need to act as a proxy server, make sure that you only allow authorised hosts to connect. For example using the following configuration sample:

<directory proxy:*>
Order deny,allow
Deny from all
Allow from fred.example.com
</directory>

The problem was, I didn’t have the proxy module enabled. The entire section for mod_proxy was commented out. Why was Apache forwarding this junk??

I changed the settings to:

<IfModule mod_proxy.c>
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<ifmodule mod_proxy.c>
ProxyRequests Off
#
#<directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</directory>
</ifmodule>

This made no difference whatsoever - logs showed the CONNECT hits continuing. I checked modules.conf, and mod_proxy wasn’t even set to load. I took the server down and continued Googling, finally giving up. I added this bit of code to httpd.conf which forbids CONNECT entirely:

<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>

After I’d confirmed that CONNECT requests were now getting 403 Forbidden errors (and alerted Scamp to make the same mod to his config file, I looked up the main culprit for the spam requests.

It turned out to be traffic from bezeqint.net, which seems kinda notorious for harbouring spammers. In the interest of cutting down 403 noise in my logs I’ve firewalled the entire subnet in question. If they can’t get their customers to play nice, they can fuck off.

Trackback URI | Comments RSS