LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-07-2004, 10:56 AM   #1
mnauta
Member
 
Registered: Apr 2003
Location: Austin, TX
Distribution: RH9.0, FC2, Centos
Posts: 146

Rep: Reputation: 15
connection attempt mod_proxy


This was in my error_log:

Connection attempts using mod_proxy:
220.117.44.93 -> 1.3.3.7:1337 : 2 Time(s)
67.234.73.247 -> mx0.domainsite.com:25 : 2 Time(s)

Can someone help me how to read this / interpret it?

Thanks
 
Old 12-08-2004, 09:34 PM   #2
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
Interpretation:


Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow

http://www.guninski.com/modproxy1.html

Systems affected:
modproxy from apache 1.3.31 and earlier
 
Old 12-10-2004, 10:11 PM   #3
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Re: connection attempt mod_proxy

Um, no ...

Quote:
Originally posted by mnauta

Connection attempts using mod_proxy:
220.117.44.93 -> 1.3.3.7:1337 : 2 Time(s)
67.234.73.247 -> mx0.domainsite.com:25 : 2 Time(s)

What this says is that 220.117.44.93 tried to use mnauta's server to connect to 1.3.3.7:1337 ( Isn't that cute ) 2 times, and 67.234.73.247 tried to connect to mx0.domainsite.com:25 2 times.

Mod_proxy does just what it's name implies. It acts as a proxy for connections. In this case it's just letting you know that it didn't allow those 4. There is nothing here to indicate a buffer overflow attempt. Not saying it's impossible, only that there is nothing here to indicate that. An attempt to forge spam headers is more likely.
 
Old 12-11-2004, 08:03 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The first entry, CONNECT attempts to 1.3.3.7:1337 has been a pretty common thing to see in Apache logs for some time now (way before the negative content-length bug) that's been associated with a proxy-scanner. As long as you aren't getting a 200 status code in response to the proxy attempts (and have an updated apache version), then you should be alright. Plus the negative-content length exploit requires you to connect to a malicious server via the vulnerable target proxy and download a file with the exploit payload and at least for the first entry, 1.3.3.7 is not a valid IP address.
 
Old 01-31-2006, 11:36 PM   #5
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
I found this in access_log:
Code:
[root@grey ~]# cat /var/log/httpd/access_log | grep 82.96.96.3
82.96.96.3 - - [30/Jan/2006:18:21:22 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5436 "-" "-"
82.96.96.3 - - [30/Jan/2006:18:21:22 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5436 "-" "-"
82.96.96.3 - - [31/Jan/2006:04:22:22 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5437 "-" "-"
82.96.96.3 - - [31/Jan/2006:04:22:22 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5437 "-" "-"
82.96.96.3 - - [31/Jan/2006:09:19:14 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5483 "-" "-"
82.96.96.3 - - [31/Jan/2006:09:19:14 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5483 "-" "-"
So i know someone is connecting using mod_proxy and is getting a 200 "Success" response. Could anyone give more details about this?
 
Old 02-01-2006, 06:59 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Which linux distro was this on?
 
Old 02-01-2006, 02:40 PM   #7
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
On a Fedora Core 3.
Kernel 2.6.9-1.667
httpd 2.0.53-3.3

I commented out the mod_proxy* lines in httpd.conf and restarted the server, just to be on the safe side. So far it has not affected my site, but I'd really like to know what this is about and googling around i found stuff that related to apache version 1.3x affected by a bug, but they say that 2.0 versions are not. However, 2.0 versions shouldn't return a 200 response unless proxying is *explicitly* set in the config file, which is NOT the case.
 
Old 02-01-2006, 08:33 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
On Fedora proxying will actually return a 200 status code even though the proxy attempt failed. Apache will serve your default home page instead of whatever content the proxy was trying to reach. Check the file size of index.html or whatever the default page is and see how that compares to 5436 bytes.

The FC apache config should not allow proxying by default and would need to specifically be enabled for the connect method to work. You can restrict the http methods that are allowed in the config file or use mod_rewrite.
 
Old 02-02-2006, 01:24 AM   #9
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Thanx for the info Capt_Caveman.
 
Old 02-02-2006, 07:14 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Sure. Does your default index.html match in size? It's important to verify it.
 
Old 02-02-2006, 11:18 AM   #11
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Actually it's a 5.7K php file. You can view it here:
http://www.linuxhome.trickip.net/index.php

So it's not exactly the same size, but it's close enough. I double checked the access_log and the newest entries are:
Code:
82.96.96.3 - - [01/Feb/2006:13:23:01 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5677 "-" "-"
82.96.96.3 - - [01/Feb/2006:13:23:01 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5679 "-" "-"
82.96.96.3 - - [01/Feb/2006:17:56:17 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5679 "-" "-"
82.96.96.3 - - [01/Feb/2006:17:56:17 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5679 "-" "-"
And i do remember doing a minor modification to the index file, which would explain the size difference between the different access attempts. You'll also notice that there are no new access attempts being logged after i commented out the mod-proxy* lines. However, they're not listed in error_log either (should they be there? or is this IP not trying those attempts?).
 
Old 02-02-2006, 07:25 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The attempts should still show up in the error or access log, so your likely not seeing any further proxy attempts. They're pretty common though, so you'll probably see them occasionally in the future. You can ban any persistant abusers with iptables if you like.
 
Old 02-02-2006, 10:38 PM   #13
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Appreciate your help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache mod_proxy Proxy Pass dancarl Linux - Software 0 08-15-2005 11:10 AM
mod_proxy slow , how to improve performance tclwp Linux - Networking 2 03-24-2005 12:36 AM
Mod_Proxy (Apache) won't forward requests bentman78 Linux - Software 1 04-20-2004 08:49 AM
Webmin Through Apache using mod_proxy... ech310n Linux - General 0 01-28-2004 04:12 PM
apache2 mod_proxy - swiki bkeating Linux - Software 0 10-28-2003 04:58 PM


All times are GMT -5. The time now is 07:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration