Mandrake 9.2 and Apache Open Proxy Bug

Leave a reply

the standard apache config of this linux version can cause serious trouble

The problem:
Linux Mandrake 9.2 uses  apache 2.0.47 by default – but take a careful look at your apache config files, because the server is set up by default with an open proxy port – so your box could be “hijacked” by spammers, who use your machine as their own proxy server.

More info about mod_proxy: http://httpd.apache.org/docs-2.0/mod/mod_proxy.html

I became attentive to the hijacking of my system, because the network performance was suddenly very poor, and the http – log of apache showed thousands of lines of “GET” and “CONNECT” requests to foreign domains (mostly porn sites) – this resulted in a massive overload on the server.

Check the open proxy server
To check if your box does really act as an open proxy server, just connect via telnet and try a “GET” request to another adress.

 telnet www.yourserver.com 80
 GET http://www.google.com

If the request returns the source code of www.google.com, your server acts as an open proxy!
Solution:
In Mandrake 9.2, the proxy – configrations can be found in  /etc/httpd/conf.d/30_mod_proxy.conf – please check your settings with the following settings, and your server will lock out the bad guys.

--------------------------------------

LoadModule proxy_module  modules/mod_proxy.so
# LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
ProxyRequests Off
#

   Order deny,allow
   Deny from all
   Allow from 127.0.0.1

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia Off
# End of proxy directives.
---------------------------------------

If your server has already been hijacked and its adress shows up in spammer lists, the requests will not stop immediatly, this will take a few days (up to two weeks)

In my case, everything worked fine after 4 days.

The problem:
Linux Mandrake 9.2 uses  apache 2.0.47 by default – but take a careful look at your apache config files, because the server is set up by default with an open proxy port – so your box could be “hijacked” by spammers, who use your machine as their own proxy server.

More info about mod_proxy: http://httpd.apache.org/docs-2.0/mod/mod_proxy.html

I became attentive to the hijacking of my system, because the network performance was suddenly very poor, and the http – log of apache showed thousands of lines of “GET” and “CONNECT” requests to foreign domains (mostly porn sites) – this resulted in a massive overload on the server.

Check the open proxy server
To check if your box does really act as an open proxy server, just connect via telnet and try a “GET” request to another adress.

 telnet www.yourserver.com 80
 GET http://www.google.com

If the request returns the source code of www.google.com, your server acts as an open proxy!

Solution:

In Mandrake 9.2, the proxy – configrations can be found in  /etc/httpd/conf.d/30_mod_proxy.conf – please check your settings with the following settings, and your server will lock out the bad guys.

--------------------------------------

LoadModule proxy_module  modules/mod_proxy.so
# LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
ProxyRequests Off
#

   Order deny,allow
   Deny from all
   Allow from 127.0.0.1

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia Off
# End of proxy directives.
---------------------------------------

If your server has already been hijacked and its adress shows up in spammer lists, the requests will not stop immediatly, this will take a few days (up to two weeks)

In my case, everything worked fine after 4 days.

Leave a Reply

Your email address will not be published. Required fields are marked *