Home Forums OS X Server and Client Discussion Questions and Answers Help I think I am being used as a proxy forwarding server

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • November 8, 2006 at 12:32 pm #367538
    trampoline
    Participant

    I think my server is being used (hacked) as a proxy server, can anyone explain this and what should I do ?
    84.16.252.116 – – [08/Nov/2006:11:46:14 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:47:57 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:48:10 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:48:48 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:00:14 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:23:36 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:26:09 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317

    November 8, 2006 at 2:29 pm #367541
    trampoline
    Participant

    I have allowed htaccess but proxy is set to off, however it looks like a proxy connection what could be wrong ?

    November 8, 2006 at 4:27 pm #367543
    Anonymous
    Guest

    I get something similar in my web server log. Explain this?

    84.16.252.115 – – [08/Nov/2006:10:15:43 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    208.99.194.66 – – [08/Nov/2006:10:15:52 -0600] “CONNECT mail.managed.com:25 HTTP/1.0” 200 5796 “-” “-”
    84.16.252.116 – – [08/Nov/2006:10:16:07 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    66.185.126.57 – – [08/Nov/2006:10:16:59 -0600] “CONNECT mx.nyc.untd.com:25 HTTP/1.0” 200 5796 “-” “-”
    66.185.126.57 – – [08/Nov/2006:10:18:14 -0600] “CONNECT mx.videotron.ca:25 HTTP/1.0” 200 5796 “-” “-”
    202.101.43.204 – – [08/Nov/2006:10:19:02 -0600] “CONNECT smtp1.google.com:25 HTTP/1.0” 200 5796 “-” “-”
    66.207.212.181 – – [08/Nov/2006:10:19:02 -0600] “CONNECT 65.54.245.104:25 HTTP/1.0” 200 5796 “-” “-”
    67.43.158.3 – – [08/Nov/2006:10:19:26 -0600] “CONNECT 68.6.19.3:25 HTTP/1.0” 200 5796 “-” “-”
    89.149.194.211 – – [08/Nov/2006:10:19:41 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    220.196.42.19 – – [08/Nov/2006:10:19:47 -0600] “CONNECT maila.microsoft.com:25 HTTP/1.0” 200 5796 “-” “-”
    84.16.252.116 – – [08/Nov/2006:10:20:01 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    67.43.157.44 – – [08/Nov/2006:10:20:51 -0600] “\x04\x01” 200 5796 “-” “-”
    84.16.252.116 – – [08/Nov/2006:10:21:12 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    67.43.158.3 – – [08/Nov/2006:10:21:18 -0600] “\x04\x01” 200 5796 “-” “-”
    84.16.252.116 – – [08/Nov/2006:10:21:44 -0600] “CONNECT mail.yahoo.com:443 HTTP/1.1” 200 5809 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
    222.73.0.11 – – [08/Nov/2006:10:21:54 -0600] “\x05\x01” 200 5796 “-” “-”
    66.185.126.52 – – [08/Nov/2006:10:22:34 -0600] “CONNECT mx.frontiernet.net:2

    November 8, 2006 at 6:56 pm #367548
    trampoline
    Participant

    well it’s seems the server thinks it’s a valid request, without looking at data packets which I am not qualified to do I would say someone is using my server as a proxy to send e.mail with yahoo mail ? with Proxy off I am thinking perhaps this is something to do with my htaccess enabling would this allow a CONNECT ? I am assuming I am right and I am being used as a proxy.
    Anyone got any suggestions ? it does not look good !

    November 9, 2006 at 7:24 pm #367555
    Anonymous
    Guest

    Hi,
    same problem on my server:
    66.185.126.52 – – [30/Oct/2006:23:25:50 +0100] “CONNECT mx00.mail.bellsouth.net:25 HTTP/1.0” 200 1109 “-” “-”
    66.185.126.36 – – [30/Oct/2006:23:27:23 +0100] “CONNECT 67.28.113.73:25 HTTP/1.0” 200 1109 “-” “-”
    66.185.126.57 – – [30/Oct/2006:23:27:59 +0100] “CONNECT mx.lax.untd.com:25 HTTP/1.0” 200 1109 “-” “-”
    66.185.126.57 – – [30/Oct/2006:23:28:33 +0100] “CONNECT mx5.centurytel.net:25 HTTP/1.0” 200 1109 “-” “-”
    67.43.158.3 – – [30/Oct/2006:23:29:24 +0100] “CONNECT 68.6.19.3:25 HTTP/1.0” 200 1109 “-” “-”
    61.152.198.19 – – [30/Oct/2006:23:29:28 +0100] “CONNECT mailc.microsoft.com:25 HTTP/1.0” 200 1109 “-” “-”
    208.99.194.66 – – [30/Oct/2006:23:29:39 +0100] “CONNECT mail.managed.com:25 HTTP/1.0” 200 1109 “-” “-”

    But don’t you worry too much about it. The 1109 is the response size and is exactly the size of my default page. It seems like the CONNECT is treated like a GET to the server root and the default page is returned in the response. I don’t think the connect really takes place at all, I don’t even have the proxy module installed.
    Still, its an annoying thing…. My basic idea about it is to deny any CONNECT Requests, see if this is possible.


    @Trampoline    : Your server returns HTTP 405, this means “Resource not allowed”, this is what I’ll try to manage on my machine. I don’t think there can be done much more 🙁

    November 9, 2006 at 8:13 pm #367556
    trampoline
    Participant

    [QUOTE][u]Quote by: macshome[/u]

    It looks like you are being used as a spambot relay.
    Are you using the web services to host to the outside world? If not, block all inbound 80 to the server from the outside world.
    Take a look at your last logs and see if there are any strange logins to the server. Change your root and admin passwords now.

    [/QUOTE]
    Yes I am hosting to the world ??

    November 10, 2006 at 2:16 am #367559
    Anonymous
    Guest

    I am hosting webpages to the outside. These appear to be some type of request to port 80 but I do not see any out bound traffic to any mail server. This does not appear to be a break in attempt, not sure what it is.

    I blocked all the IPs the made these requests, about a 24. Not sure what else to do.

    November 10, 2006 at 8:21 pm #367564
    trampoline
    Participant

    [QUOTE][u]Quote by: macshome[/u]

    Are you hosting a webpage to people outside of your local network?

    [/QUOTE]

    yes 7 web sites,
    However it’s all stopped now I think it may be a new Robot program which attempts to use servers as a web proxy to then use yahoo mail to send spam quite clever, but perhaps the persistent requests indicate it does not check the success of requests for a while, I imagine OS X server must initially allow such requests in as much as it does not deny the initial request but the robot gets now further…
    Or something like that, it seems they have all gone now !

    November 16, 2006 at 7:52 pm #367631
    ChrisRyland
    Participant

    [QUOTE][u]Quote by: trampoline[/u]

    I think my server is being used (hacked) as a proxy server, can anyone explain this and what should I do ?
    84.16.252.116 – – [08/Nov/2006:11:46:14 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:47:57 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:48:10 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:11:48:48 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:00:14 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:23:36 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317
    84.16.252.116 – – [08/Nov/2006:12:26:09 +0000] “CONNECT mail.yahoo.com:443 HTTP/1.1” 405 317

    [/QUOTE]

    Nothing to worry about, really–someone is trying to use your web server as a relay, but it’s correctly responding with a 405 HTTP error (method not allowed).

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.