On Tue, 2003-11-11 at 15:25, Phil G. wrote: > On Tue, 11 Nov 2003 08:56:21 -0500, Pierre Fortin <[EMAIL PROTECTED]> wrote: > > > On Mon, 10 Nov 2003 21:09:44 -0800 Todd Lyons <[EMAIL PROTECTED]> > > forwarded: > > > >> reviewing the logs, I have seen a large number of GETs in > >> /var/log/httpd/*.log with verrrrrrrrrrrrry long pathnames and/or > >> requests to xxx.xxx.xxx:25. I think that > >> is how they got in. > > > > Not "in"; but "through"... I pointed this out to David in a private mail > > along with the below quick test for proxying... Seems that using ":25" > > is > > a twist that I hadn't seen; but then again, most of us have turned off > > proxying after this was raised here months ago... > > > > Part of my msg to David: > >> Hmmm... wonder if this is related to the www relaying that can happen > >> in an apache server... [testing your address...] port 80 is blocked... > >> is > >> this done by your ISP? The way to check for httpd relaying is simple: > >> telnet <IP> 80 > >> [connected messages] > >> GET http://some.remote.site HTTP/1.0<enter> > >> <enter> > > Wow! The other day I got a nasty e-mail (in that it crashed opera when it > tried to open it) from someone who has adsl with pacbell.net. The header > said it was from my domain (which really p*ss*d me off.) So I just tried > your relay test on this guy's ip address, and it worked. > > Now, how do you tell the user? - that is, how do you find out who it is? >
You might report him to [EMAIL PROTECTED] (not that they care.) Other option block his IP number (which will only work until he/she gets a new lease.) Or go to the IP number with a browser see if he/she is running a webpage and see if there is an e-mail address. James > >> > >> If the returned page is from some.remote.site, your server is an open > >> relay... I've seen this long ago and suspected people were using this > >> to bump hit-counters causing possible charges ($$) between target and > >> advertiser. Dunno if this could be used to relay mail; but would not be > >> surprised. > > > > It appears that adding ":25" was a pretty simple hack to abuse the apache > > proxying... yet another reason for everyone to verify that mod-proxy is > > disabled.... > > > > > > Phil
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
