mod_proxy as a spammer
Published 2005-09-22 22:17:56
I had a nice phone call today from my ISP, they let me know that my outgoing port 25 had been auto-blocked due to excessive traffic.
Agh, an instant chkrootkit indicated nothing scary, so I started digging into the reasons behind this. I have to say my local ISP Netfront, has world class service. Gary, who I was dealing with, was very co-operative, opened up port 25 so we could track down the problem. To be honest, I was amazed at the service where they actually called me to let me know they where blocking my service. I'm sure there are many a broadband fixed IP user who would envy this kind of service.
After chkrootkit failed to find anything and Gary had opened the port, I ran
My debian based install had a file in apache2/mods-available called proxy.conf, which I had not copied to apache2/mods-enabled. I had only copied the proxy.load file.
In this file, was the critical section.
Agh, an instant chkrootkit indicated nothing scary, so I started digging into the reasons behind this. I have to say my local ISP Netfront, has world class service. Gary, who I was dealing with, was very co-operative, opened up port 25 so we could track down the problem. To be honest, I was amazed at the service where they actually called me to let me know they where blocking my service. I'm sure there are many a broadband fixed IP user who would envy this kind of service.
After chkrootkit failed to find anything and Gary had opened the port, I ran
#netstat -n | grep 25This indicated a few outgoing connections on port 25, so I asked one of my collegues who thankfully knows linux better than me;) for ideas to track down what process was doing this.
tcp 0 0 myip:33236 someip:25 TIME_WAIT
#fuser 33236/tcpThis indicated the process id that was causing the connection, and now down to good old ps
33236/tcp: 25045
#ps auxw | grep 25045Agh - Apache was causing port 25 connections. - My first thought was some horrific mistake I made with my PHP code, but a quick look through the apache log files indicated that my suspicions where not quite correct. the apache log file had rather a large number of these.. - from various ip addresses.
www-data 25045 ...... /usr/sbin/apache2 -k start -DSSL
210.245.151.81 - - ... "POST http://202.81.252.1:25/ HTTP/1.1" 200 ..At this point I started to suspect the reverse proxies on my server (especially as I had set it up again recently on another server and had to deal with the default config there)
My debian based install had a file in apache2/mods-available called proxy.conf, which I had not copied to apache2/mods-enabled. I had only copied the proxy.load file.
In this file, was the critical section.
<Proxy *>This blocks all access to the proxy, So after adding this file, to enable my old reverse proxies, I had to add sections like this to open a few specific proxies
Order deny,allow
Deny from all
#Allow from .your_domain.com
</Proxy>
<Proxy http://devel/>The only problem I had was that my php5 server was running on port 81, and this config failed to allow access via the reverse proxy.
Order allow,deny
Allow from all
</Proxy>
<Proxy http://php5.akbkhome.com:81/>Anyway, at least I'm not a spammer anymore..
#this doesnt work?!!!
Order allow,deny
Allow from all
</Proxy>
Mentioned By:
google.com : mod_proxy (93 referals)
google.com : april (81 referals)
google.com : december (46 referals)
google.com : php proxy (46 referals)
google.com : php mod_proxy (36 referals)
google.com : php spammer (33 referals)
google.com : php proxies (30 referals)
google.com : spammer.php (27 referals)
google.com : spammer php (20 referals)
google.com : mod_proxy log (18 referals)
planet-php.org : Planet PHP (15 referals)
google.com : mod_proxy php (15 referals)
google.com : debian mod_proxy (14 referals)
planet.debian.org.hk : Debian HK : Debian @ Hong Kong (13 referals)
google.com : mod_proxy port 25 (10 referals)
google.com : mod_proxy debian (9 referals)
google.com : mod_proxy port (9 referals)
google.com : mod_proxy spammer (8 referals)
google.com : "php proxy" (6 referals)
google.com : spammer (5 referals)
google.com : mod_proxy (93 referals)
google.com : april (81 referals)
google.com : december (46 referals)
google.com : php proxy (46 referals)
google.com : php mod_proxy (36 referals)
google.com : php spammer (33 referals)
google.com : php proxies (30 referals)
google.com : spammer.php (27 referals)
google.com : spammer php (20 referals)
google.com : mod_proxy log (18 referals)
planet-php.org : Planet PHP (15 referals)
google.com : mod_proxy php (15 referals)
google.com : debian mod_proxy (14 referals)
planet.debian.org.hk : Debian HK : Debian @ Hong Kong (13 referals)
google.com : mod_proxy port 25 (10 referals)
google.com : mod_proxy debian (9 referals)
google.com : mod_proxy port (9 referals)
google.com : mod_proxy spammer (8 referals)
google.com : "php proxy" (6 referals)
google.com : spammer (5 referals)
Follow us
-
- Some thoughts on the language server and its usefulness in the roobuilder
- Roo Builder for Gtk4 moving forward
- Clustered Web Applications - Mysql and File replication
- GitLive - Branching - Merging
- PDO_DataObject Released
- PDO_DataObject is under way
- Mass email Marketing and anti-spam - some of the how-to..
- Hydra - Recruitment done right
Blog Latest
-
Twitter - @Roojs