Re: [SLUG] apache proxy exploit?

From: Steve (steve@szmidt.org)
Date: Tue Apr 27 2004 - 23:11:39 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 27 April 2004 10:05 pm, Russ Wright wrote:
> Hello Sluggers
>
> I'm running fedora core 1 with the Apache server.
> I noticed the following in my Apache logs:
>
> "CONNECT 1.3.3.7:1337 HTTP/1.0" with a 200 (Success)
>
> What surprised me was that it SUCCEEDED! Seems someone is using my
> server to spam. Gah!

This has been used by what is suspected to be a spammer.

1.3.3.7 is a non existent address. But it's also hack speek for a hacker. It
tends to belong somewhere in or close to the Baltic states.

> I've been googling around trying to figure out the fix and it has
> something to do with adding a block like so:
>
> <LimitExcept GET POST>
> Order deny, allow
> Deny from all
> </LimitExcept>

<Limit GET POST OPTIONS HEAD>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS HEAD>
Order deny,allow
Deny from all
</LimitExcept>

> I'm not sure where to put this block in the httpd.conf. Where would this
> block go?

httpd.conf

To test it telnet to <ip> 80

Now I would run a port scan, on your machine, as many backorifice and
subseven servers use that address/port combo.

> Regards
> Russ
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.

- --
Steve

"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
                                Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAjyDvljK16xgETzkRAsiCAKDg4D1r3/uemw38grjJyUrVO3oFywCfdc/s
XtUJomN/Wbu53IpZgEvzVXQ=
=VQMx
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:58:46 EDT