stopping "connect" attacks in apache
Chuck Swiger
cswiger at mac.com
Mon Jun 18 17:02:38 UTC 2007
On Jun 15, 2007, at 7:49 PM, Bob wrote:
> Every time my apache server slows down or has denial of service the
> access
> log is full this
>
> 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-"
IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to
port 25 on the targets via your Apache server.
This almost certainly indicates that you've got mod_proxy loaded or
something similar via mod_perl/mod_php/whatever, as the CONNECT
attack would get a "405 Method not allowed" error otherwise.
Check http://your_webserver/server-info for details.
--
-Chuck
More information about the freebsd-questions
mailing list