connection attempt mod_proxy

mnauta · 12-07-2004, 10:56 AM

This was in my error_log:

Connection attempts using mod_proxy:
220.117.44.93 -> 1.3.3.7:1337 : 2 Time(s)
67.234.73.247 -> mx0.domainsite.com:25 : 2 Time(s)

Can someone help me how to read this / interpret it?

Thanks

Krugger · 12-08-2004, 09:34 PM

Interpretation:

Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow

http://www.guninski.com/modproxy1.html

Systems affected:
modproxy from apache 1.3.31 and earlier

sigsegv · 12-10-2004, 10:11 PM

Um, no ...

Quote:

Originally posted by mnauta

Connection attempts using mod_proxy:
220.117.44.93 -> 1.3.3.7:1337 : 2 Time(s)
67.234.73.247 -> mx0.domainsite.com:25 : 2 Time(s)

What this says is that 220.117.44.93 tried to use mnauta's server to connect to 1.3.3.7:1337 ( Isn't that cute

) 2 times, and 67.234.73.247 tried to connect to mx0.domainsite.com:25 2 times.

Mod_proxy does just what it's name implies. It acts as a proxy for connections. In this case it's just letting you know that it didn't allow those 4. There is nothing here to indicate a buffer overflow attempt. Not saying it's impossible, only that there is nothing here to indicate that. An attempt to forge spam headers is more likely.

Capt_Caveman · 12-11-2004, 08:03 AM

The first entry, CONNECT attempts to 1.3.3.7:1337 has been a pretty common thing to see in Apache logs for some time now (way before the negative content-length bug) that's been associated with a proxy-scanner. As long as you aren't getting a 200 status code in response to the proxy attempts (and have an updated apache version), then you should be alright. Plus the negative-content length exploit requires you to connect to a malicious server via the vulnerable target proxy and download a file with the exploit payload and at least for the first entry, 1.3.3.7 is not a valid IP address.

Notwerk · 01-31-2006, 11:36 PM

I found this in access_log:

Code:

[root@grey ~]# cat /var/log/httpd/access_log | grep 82.96.96.3
82.96.96.3 - - [30/Jan/2006:18:21:22 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5436 "-" "-"
82.96.96.3 - - [30/Jan/2006:18:21:22 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5436 "-" "-"
82.96.96.3 - - [31/Jan/2006:04:22:22 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5437 "-" "-"
82.96.96.3 - - [31/Jan/2006:04:22:22 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5437 "-" "-"
82.96.96.3 - - [31/Jan/2006:09:19:14 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5483 "-" "-"
82.96.96.3 - - [31/Jan/2006:09:19:14 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5483 "-" "-"

So i know someone is connecting using mod_proxy and is getting a 200 "Success" response. Could anyone give more details about this?

Capt_Caveman · 02-01-2006, 06:59 AM

Which linux distro was this on?

Notwerk · 02-01-2006, 02:40 PM

On a Fedora Core 3.
Kernel 2.6.9-1.667
httpd 2.0.53-3.3

I commented out the mod_proxy* lines in httpd.conf and restarted the server, just to be on the safe side. So far it has not affected my site, but I'd really like to know what this is about and googling around i found stuff that related to apache version 1.3x affected by a bug, but they say that 2.0 versions are not. However, 2.0 versions shouldn't return a 200 response unless proxying is *explicitly* set in the config file, which is NOT the case.

Capt_Caveman · 02-01-2006, 08:33 PM

On Fedora proxying will actually return a 200 status code even though the proxy attempt failed. Apache will serve your default home page instead of whatever content the proxy was trying to reach. Check the file size of index.html or whatever the default page is and see how that compares to 5436 bytes.

The FC apache config should not allow proxying by default and would need to specifically be enabled for the connect method to work. You can restrict the http methods that are allowed in the config file or use mod_rewrite.

Notwerk · 02-02-2006, 01:24 AM

Thanx for the info Capt_Caveman.

Capt_Caveman · 02-02-2006, 07:14 AM

Sure. Does your default index.html match in size? It's important to verify it.

Notwerk · 02-02-2006, 11:18 AM

Actually it's a 5.7K php file. You can view it here:
http://www.linuxhome.trickip.net/index.php

So it's not exactly the same size, but it's close enough. I double checked the access_log and the newest entries are:

Code:

82.96.96.3 - - [01/Feb/2006:13:23:01 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5677 "-" "-"
82.96.96.3 - - [01/Feb/2006:13:23:01 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5679 "-" "-"
82.96.96.3 - - [01/Feb/2006:17:56:17 +0200] "CONNECT 82.96.96.3:802 HTTP/1.0" 200 5679 "-" "-"
82.96.96.3 - - [01/Feb/2006:17:56:17 +0200] "POST http://82.96.96.3:802/ HTTP/1.0" 200 5679 "-" "-"

And i do remember doing a minor modification to the index file, which would explain the size difference between the different access attempts. You'll also notice that there are no new access attempts being logged after i commented out the mod-proxy* lines. However, they're not listed in error_log either (should they be there? or is this IP not trying those attempts?).

Capt_Caveman · 02-02-2006, 07:25 PM

The attempts should still show up in the error or access log, so your likely not seeing any further proxy attempts. They're pretty common though, so you'll probably see them occasionally in the future. You can ban any persistant abusers with iptables if you like.

Notwerk · 02-02-2006, 10:38 PM

Appreciate your help