how to stop this

mnauta · 01-19-2005, 11:24 AM

This keeps showing up in my log watch. What is the best way to stop this? I have all software uptodates, I run rkhunter, I block certain address ranges in httpd.conf

Connection attempts using mod_proxy:
220.135.202.80 -> msa-mx2.hinet.net:25 : 2 Time(s)
220.136.167.91 -> ms58.hinet.net:25 : 32 Time(s)
220.136.171.148 -> msa.hinet.net:25 : 6 Time(s)
220.136.178.15 -> msa.hinet.net:25 : 12 Time(s)
220.136.179.205 -> ms1.hinet.net:25 : 36 Time(s)
220.136.179.205 -> msa.hinet.net:25 : 54 Time(s)
220.136.179.218 -> msa.hinet.net:25 : 46 Time(s)

Also, how about this, it is probably eating up resources (this goes on for pages in the log)

205.238.243.71 - - [16/Jan/2005:08:02:59 -0600] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9

ilikejam · 01-19-2005, 12:45 PM

I don't know about the first, but the second part looks very much like a buffer overflow attack. Someone's trying (or tried) to break into your system. Whether or not they have actually succeeded, I don't know.

Dave

Hangdog42 · 01-19-2005, 03:19 PM

Based on Capt.Caveman's response in this thread , the first one may be a spammer looking for a proxy to relay mail. I'd have a look in your Apache logs and as long as these attempts show up with 405, the attempt has failed. The second one is definitely an IIS exploit that can't affect a linux box. Get used to those because there seem to be a TON of infected IIS boxes out there. I know I see them all the time.

mnauta · 01-21-2005, 07:53 AM

This is from the log, I guess it's making a connection.

"CONNECT msa.hinet.net:25 HTTP/1.0" 200 8059 "-" "-"

Also, I did nmap on this server (from within the network) and port 25 is not open.

My PIX fire wall is routes all port 25 traffic to another server, how does this get to my web server anyway? Also, it keeps going on, every day the logs show this.

manuel

Hangdog42 · 01-21-2005, 08:49 AM

I'm guessing based on what I read here, so hopefully one of the real experts will chime in.......

Quote:

Also, it keeps going on, every day the logs show this.

Well, if this is a spammer, that isn't surprising. They are using your box to cover their tracks and will probably continue to do so until you stop them. You might want to read through this thread for a discussion on modifying Apache to not allow this.

Capt_Caveman · 01-21-2005, 09:10 AM

My PIX fire wall is routes all port 25 traffic to another server, how does this get to my web server anyway?

It's a proxy attempt, so it's trying to use your webserver to pass requests to the host 'msa.hinet.net'. The initial request to your webserver is still on port 80, but it then gets your webserver to connect to port 25 of the remote host. Usually the proxy feature is disabled by default for this very reason (not many people need it and it is highly abusable). See the link Hangdog posted on turning mod_proxy off. You can also use mod_rewrite to drop requests that use the CONNECT method.

Also how big is the size of your index.html file?

mnauta · 01-21-2005, 10:08 AM

Thanks, this helps alot!

I'll check on the size of the index file, I know it is small (what is significnace of that with regard to this issue???)

Capt_Caveman · 01-21-2005, 11:59 PM

Some systems will return the default home page (index.html) to someone making invalid proxy requests. So a '200' status code is returned even though the proxy was unsuccessful. Though I don't believe that is the case here. If I remeber correctly, FC and Redhat should return a 405 for someone using the CONNECT method, unless the request is allowed for some reason. So do you have mod_proxy turned on for some reason? Might help if you posted your http.conf file.

mnauta · 01-22-2005, 01:22 PM

I recall trying it, and it did give me the html from the index page.

Capt_Caveman · 01-22-2005, 05:50 PM

If that's the case, then each connection attempt in the log should show the exact same number of bytes transfered (8059), otherwise the proxy attempts were successfull.

mnauta · 01-23-2005, 02:08 AM

Here is one of the lines of the log:

220.136.163.212 - - [16/Jan/2005:21:02:49 -0600] "CONNECT msa.hinet.net:25 HTTP/1.0" 200 8059 "-" "-"

Looks like they are not successfull.

Thanks
Manuel

Capt_Caveman · 01-23-2005, 10:52 AM

As long as ALL of the CONNECT attempts show 8059 bytes transfered and that is the size of your index.html. Please verify that all of those are correct, otherwise you may be relaying spam.

mnauta · 01-26-2005, 02:27 PM

Is this the correct syntax to stop the CONNECT

<Limit CONNECT>
Order Deny, Allow
Deny from all
</Limit>

Capt_Caveman · 01-28-2005, 12:37 AM

The Limit directive is a little picky. I actually use mod_rewrite:

RewriteEngine on
ReWriteCond %{REQUEST_METHOD} ^(TRACE|CONNECT)
ReWriteRule .* - [F]

Though it's redundant. You need to have the proxy container uncommented and specifically have ProxyRequests set to "On" AND you need to have the port open with the ProxyCONNECT directive. So it's not something you can easily turn on by mistake. I'm not aware of any distro that allow the CONNECT method by default.