Subject: Re: Found problem?
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Sat Nov 15 2003 - 21:14:42 AKST
On Thu, 13 Nov 2003, Justin Dieters wrote:
>
> This looks like it might be the cause of my problem - spam via Apache
> and postfix...
>
> http://archives.neohapsis.com/archives/postfix/2003-07/0499.html
>
> I have tons of posts of "GET http://some.server.usually.porn..." and
> "POST http://more.servers.that.arent.mine...".
>
> I found out this is due to "ProxyRequests On" in the httpd.conf, but
> turning this off or completely commenting all the Proxy stuff out
> doesn't stop the requests from coming.
Well, it won't stop the requests from coming, but it should stop the
requests from exploiting you :-) The problem has nothing to do with
Postfix (or whatever MTA you happen to be using). Spammers appear to be
using your web server as a proxy, and by shutting that off you should be
able to solve the problem. If you actually need mod_proxy in Apache (very
doubtful) you can use the basic access controls to limit access by IP.
Otherwise just comment it all out of your httpd.conf and restart Apache.
If you make these changes you should see your server reply to these
requests with 404 errors. If it doesn't, something is wrong and you
should dig deeper.
I should point out that this problem is not limited to Apache's proxy
module--any application proxy without access controls is ripe for
exploitation.
Mike
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Sat Nov 15 2003 - 21:14:45 AKST