Security problem in apache with forms?

------=_NextPart_000_001B_01C81B01.41A9BF60
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

Since installing a new slackware server with apache and sendmail
out-of-the-box, I have noticed my server is sending (moderate amounts of)
spam worldwide.
I suspect some webform or cgi-script. In the apache log, I see lots of these
entries:

"POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297
"POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1" 404 297

Have no idea what these scripts do (they certainly aren't mine!) but
probably they use my localmailer to send spam. I believed external script
was supposed to be forbidden (as the 404 may indicate), but maybe there's a
bug when calling them from a POST?

Any (other) suggestions?



------=_NextPart_000_001B_01C81B01.41A9BF60
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
6.5.7036.0">

Hello,

Since installing a new slackware server =
with apache and sendmail out-of-the-box, I have noticed my server is =
sending (moderate amounts of) spam worldwide.

I suspect some webform or cgi-script. =
In the apache log, I see lots of these entries:

"POST HREF=3D"http://87.118.100.88/proxy5/check.php"> COLOR=3D"#0000FF" =
FACE=3D"Arial">http://87.118.100.88/proxy5/check.php FACE=3D"Arial"> HTTP/1.1" 404 297


"POST HREF=3D"http://82.228.61.77:49627/Chcks/Data_I.php"> COLOR=3D"#0000FF" =
FACE=3D"Arial">http://82.228.61.77:49627/Chcks/Data_I.php<=
FONT FACE=3D"Arial"> HTTP/1.1" 404 297

Have no idea what these scripts do (they =
certainly aren't mine!) but probably they use my localmailer to send =
spam. I believed external script was supposed to be forbidden (as the =
404 may indicate), but maybe there's a bug when calling them from a =
POST?

Any (other) suggestions?

Re: Security problem in apache with forms?

Hey Harold,

On Tue, Oct 30, 2007 at 02:29:18PM +0100, Harald Heggelund wrote:
> Since installing a new slackware server with apache and sendmail
> out-of-the-box, I have noticed my server is sending (moderate amounts of)
> spam worldwide.
> I suspect some webform or cgi-script. In the apache log, I see lots of these
> entries:
>
> "POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297
> "POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1" 404 297

If this is your server's log, then it's requests coming in.
The 404 number indicates, that the script in question has
not been found. Somebody tried to post data (POST requests)
to a script on your server, but the server did find the script and
returned HTTP Status 404 "File not found" back to the client (=spammer?).

It's rather typical to see this in a logfile of a server
connected to the internet. But the fact, that the request contains
more than the path is a bit unusual for me.

regs,

Christian


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

SV: Security problem in apache with forms?

Thanks for your reply,

Yes, this is my server's log. The point is that the IP-addresses in the log=
are completely unknown to me. In fact, one of them resolves to:
seg75-4-82-228-61-77.fbx.proxad.net [82.228.61.77]
seems suspicious to me. In some cases, the request itself is coming from th=
e same address.

Well, anyway, if this isn't the problem, SOMEHOW spam is entering my mail q=
ueue from "localhost".
Any suggestions as to how I track down the origin?


> -----Opprinnelig melding-----
> Fra: Christian Folini [mailto:christian.folini@post.ch]
> Sendt: 30. oktober 2007 14:32
> Til: users@httpd.apache.org
> Emne: Re: [users@httpd] Security problem in apache with forms?
>
> Hey Harold,
>
> > "POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297
> > "POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1" 404 297
>
> If this is your server's log, then it's requests coming in.
> The 404 number indicates, that the script in question has
> not been found. Somebody tried to post data (POST requests)
> to a script on your server, but the server did find the script and
> returned HTTP Status 404 "File not found" back to the client
> (=3Dspammer?).
>
> It's rather typical to see this in a logfile of a server
> connected to the internet. But the fact, that the request contains
> more than the path is a bit unusual for me.
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Security problem in apache with forms?

On 10/30/07, Christian Folini wrote:
> Hey Harold,
>
> On Tue, Oct 30, 2007 at 02:29:18PM +0100, Harald Heggelund wrote:
> > Since installing a new slackware server with apache and sendmail
> > out-of-the-box, I have noticed my server is sending (moderate amounts of)
> > spam worldwide.
> > I suspect some webform or cgi-script. In the apache log, I see lots of these
> > entries:
> >
> > "POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297
> > "POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1" 404 297

> It's rather typical to see this in a logfile of a server
> connected to the internet. But the fact, that the request contains
> more than the path is a bit unusual for me.

See:
http://wiki.apache.org/httpd/ProxyAbuse

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org