From owner-freebsd-questions@FreeBSD.ORG Mon Jun 18 17:02:38 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B604516A421 for ; Mon, 18 Jun 2007 17:02:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1BE13C4BB for ; Mon, 18 Jun 2007 17:02:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay6.apple.com (relay6.apple.com [17.128.113.36]) by mail-out3.apple.com (Postfix) with ESMTP id EDBE992D424; Mon, 18 Jun 2007 10:02:18 -0700 (PDT) Received: from relay6.apple.com (unknown [127.0.0.1]) by relay6.apple.com (Symantec Mail Security) with ESMTP id DEB9210073; Mon, 18 Jun 2007 10:02:18 -0700 (PDT) X-AuditID: 11807124-a099dbb000005458-24-4676ba9ab229 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay6.apple.com (Apple SCV relay) with ESMTP id D4DE610054; Mon, 18 Jun 2007 10:02:18 -0700 (PDT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <97823238-9544-478B-BAF3-C9CC53BBB36A@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 18 Jun 2007 10:02:18 -0700 To: bob@a1poweruser.com X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: stopping "connect" attacks in apache X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 17:02:38 -0000 On Jun 15, 2007, at 7:49 PM, Bob wrote: > Every time my apache server slows down or has denial of service the > access > log is full this > > 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to port 25 on the targets via your Apache server. This almost certainly indicates that you've got mod_proxy loaded or something similar via mod_perl/mod_php/whatever, as the CONNECT attack would get a "405 Method not allowed" error otherwise. Check http://your_webserver/server-info for details. -- -Chuck