galto Posted January 21, 2006 Posted January 21, 2006 I'm hoping someone can help me with this issue. I've searched the forums for a couple of hours and didn't see anyone posting anything similar. Basically, I have OSCommerce installed on my Linux machine using Apache. Recently, I noticed that I have been getting HACKED by outsiders who are coming in via PORT 80 (HTTP), doing a CONNECT on port 25 (EMAIL) port and they are succeeding (code of 200). This is BAD since they're using my server to disquise all the SPAM they're sending. Here's a snapshot of my apache ACCESS_LOG 218.169.61.235 - - [20/Jan/2006:22:21:06 -0500] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 13688 "-" "-" 220.136.197.58 - - [20/Jan/2006:22:21:14 -0500] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 13688 "-" "-" 220.139.91.75 - - [20/Jan/2006:22:21:18 -0500] "CONNECT 168.95.5.21:25 HTTP/1.0" 200 13688 "-" "-" 59.120.198.237 - - [20/Jan/2006:22:21:27 -0500] "CONNECT 168.95.5.21:25 HTTP/1.0" 200 13688 "-" "-" 61.225.15.45 - - [20/Jan/2006:22:21:48 -0500] "CONNECT 168.95.5.11:25 HTTP/1.0" 200 13688 "-" "-" 220.139.91.75 - - [20/Jan/2006:22:22:00 -0500] "CONNECT 202.39.131.130:25 HTTP/1.0" 200 13688 "-" "-" 218.169.61.235 - - [20/Jan/2006:22:22:10 -0500] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 13688 "-" "-" 218.169.61.235 - - [20/Jan/2006:22:22:10 -0500] "CONNECT 202.43.200.11:25 HTTP/1.0" 200 13688 "-" "-" 220.139.79.151 - - [20/Jan/2006:22:22:32 -0500] "CONNECT 210.59.196.43:25 HTTP/1.0" 200 13688 "-" "-" 220.139.91.75 - - [20/Jan/2006:22:22:56 -0500] "CONNECT 168.95.5.115:25 HTTP/1.0" 200 13688 "-" "-" So I think this is a PHP/OSCommerce issue. I've tightened up/secured my apache httpd.conf file as much as I know how and with as much information I was able to find in other forums. Feedback I got from most other forums were on tightening up the httpd.conf file which I did - but the problems continue and each day the volume of these hacking requests gets larger. The primary reason I think it's PHP/OScommerce is because earlier today I realized that OSCOMMERCE crashed. I got errors telling my that my "sessions" and "whos_online" tables were corrupt. So I dropped them and reinstalled them. Then I started monitoring those tables and basically each of these CONNECT requests results in a new session id and whos_online entry. And on the whos_online entry, the originating IP ADDRESS is captured and the "last_page_url" is the IP Address following the connect (e.g., 168.95.5.115:25). So that tells me that somehow these CONNECT requests are coming in via PHP and OSCOMMERCE which results in these tables being written to. This is SEVERE so I'm hoping someone out there can help. Thanks
GraphicsGuy Posted January 21, 2006 Posted January 21, 2006 Have you applied the patch upgrades discussed in this thread? It sounds a little like they are using your email functions from the contact forms on your site. There is a patch for that in it. Included in the complete download package is a step by step upgrade instruction set. Each section of it identifies the issue it addresses. With only one or two exceptions, the various patches are not codependent so you don't have to apply all of it if you don't need to. For example, if you aren't upgrading to mySQL 5, then you don't need to apply the mySQL5 compatibility patch steps. hth Rule #1: Without exception, backup your database and files before making any changes to your files or database. Rule #2: Make sure there are no exceptions to Rule #1.
galto Posted January 21, 2006 Author Posted January 21, 2006 Have you applied the patch upgrades discussed in this thread? It sounds a little like they are using your email functions from the contact forms on your site. There is a patch for that in it. Included in the complete download package is a step by step upgrade instruction set. Each section of it identifies the issue it addresses. With only one or two exceptions, the various patches are not codependent so you don't have to apply all of it if you don't need to. For example, if you aren't upgrading to mySQL 5, then you don't need to apply the mySQL5 compatibility patch steps. hth Thanks for the information. I actually was NOT aware of this so this is good information. I have made the majority of the updates and my problem continues. I was unable to do the "Validate Session ID" fix since I have the Register Globals Patch. That patch has different code for the "tep_session_start" function in sessions.php. I tried the patch but my site stopped working so I had to put the code back for this one. I'm not sure if this issue would solve my problem - probably not but I'll keep working on it just in case. Anyone have any other ideas on my attacks. Is there something I have configured that is allowing these hackers to use me as a proxy gateway to redirect email. Again, each of these requests is writing into my whos_online table as well as sessions table so why I think it's PHP and OSCOMMERCE issue. Any ideas - maybe folder permissions or file permissions or something. I have Fedora Core 2, Apache 2.0.51, PHP 4.4.1, and MySQL 5.0.15-standard. Thanks...
♥Vger Posted January 21, 2006 Posted January 21, 2006 As this is your own server, use a different port other than 25 for mail. Vger
Jan Zonjee Posted January 21, 2006 Posted January 21, 2006 Anyone have any other ideas on my attacks. Is there something I have configured that is allowing these hackers to use me as a proxy gateway to redirect email. There is a flaw in Apache < 2.0.55 that sounds like it could be relevant to your problem: http://httpd.apache.org/security/vulnerabilities_20.html moderate: HTTP Request Spoofing CVE-2005-2088 A flaw occured when using the Apache server as a HTTP proxy. A remote attacker could send a HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, causing Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request. This could allow the bypass of web application firewall protection or lead to cross-site scripting (XSS) attacks. Update Released: 14th October 2005 Affects: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088
boxtel Posted January 21, 2006 Posted January 21, 2006 As this is your own server, use a different port other than 25 for mail. Vger or <Location /> <LimitExcept GET POST> Deny from all </LimitExcept> </Location> Treasurer MFC
galto Posted January 21, 2006 Author Posted January 21, 2006 or <Location /> <LimitExcept GET POST> Deny from all </LimitExcept> </Location> I tried Amanda suggestion and IT WORKED!!! - Thanks alot!!! By Limiting the traffic to just GETS and POST, it is now rejecting all those CONNECTS. THis is what my log is showing now (the 403 Errors): 61.228.159.211 - - [21/Jan/2006:09:49:03 -0500] "CONNECT 168.95.5.8:25 HTTP/1.0" 403 3931 "-" "-" 61.228.149.230 - - [21/Jan/2006:09:49:05 -0500] "CONNECT 202.43.200.11:25 HTTP/1.0" 403 3931 "-" "-" 203.67.117.33 - - [21/Jan/2006:09:49:12 -0500] "CONNECT 168.95.5.115:25 HTTP/1.0" 403 3931 "-" "-" 61.228.149.230 - - [21/Jan/2006:09:49:17 -0500] "CONNECT 66.161.32.221:25 HTTP/1.0" 403 3931 "-" "-" 59.112.214.84 - - [21/Jan/2006:09:49:20 -0500] "CONNECT 168.95.5.42:25 HTTP/1.0" 403 3931 "-" "-" 203.70.48.113 - - [21/Jan/2006:09:49:23 -0500] "CONNECT 203.84.195.1:25 HTTP/1.0" 403 3931 "-" "-" 61.228.149.230 - - [21/Jan/2006:09:49:45 -0500] "CONNECT 198.62.218.89:25 HTTP/1.0" 403 3931 "-" "-" 61.228.159.211 - - [21/Jan/2006:09:49:50 -0500] "CONNECT 211.23.120.126:25 HTTP/1.0" 403 3931 "-" "-" 59.112.214.84 - - [21/Jan/2006:09:50:18 -0500] "CONNECT 140.112.90.72:25 HTTP/1.0" 403 3931 "-" "-" 219.81.239.169 - - [21/Jan/2006:09:50:49 -0500] "CONNECT 168.95.5.10:25 HTTP/1.0" 403 3931 "-" "-" Hopefully the volume will die down now that my server cannot be used as a proxy gateway..... I do have Apache version 2.0.51 so the " HTTP Request Spoofing CVE-2005-2088" MAY BE the culprit. However, I wasn't able to easily install the update. I'm on Fedora Core 2 and I was using YUM. It tells me that Apache is up to date. I guess that means that the Fedora Core 2 team has yet to put this patch in. Does anyone know if I can bypass YUM and do an RPM install instead? Does this cause me other problems with trying to stay current with Apache and Fedora 2 certifications. And I thought I knew Linux and server administration well, I still have alot to learn. Thanks for the all the help.....
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.