Date: Mon, 18 Jun 2007 10:02:18 -0700 From: Chuck Swiger <cswiger@mac.com> To: bob@a1poweruser.com Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: stopping "connect" attacks in apache Message-ID: <97823238-9544-478B-BAF3-C9CC53BBB36A@mac.com> In-Reply-To: <NBECLJEKGLBKHHFFANMBEEKJCDAA.bob@a1poweruser.com> References: <NBECLJEKGLBKHHFFANMBEEKJCDAA.bob@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 15, 2007, at 7:49 PM, Bob wrote: > Every time my apache server slows down or has denial of service the > access > log is full this > > 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to port 25 on the targets via your Apache server. This almost certainly indicates that you've got mod_proxy loaded or something similar via mod_perl/mod_php/whatever, as the CONNECT attack would get a "405 Method not allowed" error otherwise. Check http://your_webserver/server-info for details. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97823238-9544-478B-BAF3-C9CC53BBB36A>