stopping "connect" attacks in apache
    Chuck Swiger 
    cswiger at mac.com
       
    Mon Jun 18 17:02:38 UTC 2007
    
    
  
On Jun 15, 2007, at 7:49 PM, Bob wrote:
> Every time my apache server slows down or has denial of service the  
> access
> log is full this
>
> 61.228.122.220 -  "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 -  "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 -  "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 -  "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 -  "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-"
> 61.228.122.220 -  "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-"
IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to  
port 25 on the targets via your Apache server.
This almost certainly indicates that you've got mod_proxy loaded or  
something similar via mod_perl/mod_php/whatever, as the CONNECT  
attack would get a "405 Method not allowed" error otherwise.
Check http://your_webserver/server-info for details.
-- 
-Chuck
    
    
More information about the freebsd-questions
mailing list