Bug#212030: apache: mod_proxy allows the world to use it - letting spammers bounce through it
Package: apache
Version: 1.3.27.1-3
Severity: normal
Tags: security
Today I recieved a warning from my ISP because another client of his
saw that my machine was trying to send spam messages though its SMTP
server. The report from the complainer looked like this:
h8H0rcr11849: ruleset=check_rcpt, arg1=<klonger@swbell.net>,
relay=line105-145.adsl.actcom.co.il [192.117.105.145], reject=550 5.7.1
<klonger@swbell.net>... Relaying denied
It really looks like the spam comes from my machine. Apache's logs for
that period contained error messages like:
[Wed Sep 17 00:58:37 2003] [error] [client 67.202.110.253] (111)Connection refus
ed: proxy connect to 192.117.106.16 port 25 failed
And sometimes:
[Wed Sep 17 01:57:05 2003] [error] [client 64.216.222.87] Invalid method in requ
est QUIT
My guess is that the spammer somehow causes Apache to redirect SMTP connections
through its mod_proxy.
The relevant parts in httpd.conf were:
--------------------------------------------------------
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
....
<IfModule mod_proxy.c>
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
Order deny,allow
#Deny from all
#Allow from .your_domain.com
Allow from all
</Directory>
</IfModule>
--------------------------------------------------------
I think this is a security bug (can cause DoS) because
1. It allows the system to be used to bounce spam e-mail, and I was lucky
that my ISP was friendly enough to call me before pulling the plug on
my connection,
2. It can also just generally load my link if someone uses my proxy on
the other side of my ADSL line, just to DoS me.
Thanks,
--Amos
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux picton 2.4.20 #2 Tue May 13 23:12:56 IDT 2003 i686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
Versions of packages apache depends on:
ii apache-common 1.3.27.1-3 Support files for all Apache webse
ii debconf 1.3.14 Debian configuration management sy
ii dpkg 1.10.15 Package maintenance system for Deb
ii libc6 2.3.2-7 GNU C Library: Shared libraries an
ii libdb4.1 4.1.25-6 Berkeley v4.1 Database Libraries [
ii libexpat1 1.95.6-6 XML parsing C library - runtime li
ii libmagic1 4.03-3 File type determination library us
ii logrotate 3.6.5-2 Log rotation utility
ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap
ii perl [perl5] 5.8.0-21 Larry Wall's Practical Extraction
-- debconf information:
apache/enable-suexec: false
Reply to: