Published 2005-09-22 22:17:56

I had a nice phone call today from my ISP, they let me know that my outgoing port 25 had been auto-blocked due to excessive traffic.

Agh, an instant chkrootkit indicated nothing scary, so I started digging into the reasons behind this. I have to say my local ISP Netfront, has world class service. Gary, who I was dealing with, was very co-operative, opened up port 25 so we could track down the problem. To be honest, I was amazed at the service where they actually called me to let me know they where blocking my service. I'm sure there are many a broadband fixed IP user who would envy this kind of service.

After chkrootkit failed to find anything and Gary had opened the port, I ran
#netstat -n | grep 25
tcp 0 0 myip:33236 someip:25 TIME_WAIT
This indicated a few outgoing connections on port 25, so I asked one of my collegues who thankfully knows linux better than me;) for ideas to track down what process was doing this.
#fuser 33236/tcp
33236/tcp: 25045
This indicated the process id that was causing the connection, and now down to good old ps
#ps auxw | grep 25045
www-data 25045 ...... /usr/sbin/apache2 -k start -DSSL

Agh - Apache was causing port 25 connections. - My first thought was some horrific mistake I made with my PHP code, but a quick look through the apache log files indicated that my suspicions where not quite correct. the apache log file had rather a large number of these.. - from various ip addresses.
210.245.151.81 - - ... "POST http://202.81.252.1:25/ HTTP/1.1" 200 ..
At this point I started to suspect the reverse proxies on my server (especially as I had set it up again recently on another server and had to deal with the default config there)

My debian based install had a file in apache2/mods-available called proxy.conf, which I had not copied to apache2/mods-enabled. I had only copied the proxy.load file.

In this file, was the critical section.
        <Proxy *>
Order deny,allow
Deny from all
#Allow from .your_domain.com
</Proxy>
This blocks all access to the proxy, So after adding this file, to enable my old reverse proxies,  I had to add sections like this to open a few specific proxies
        <Proxy http://devel/>
Order allow,deny
Allow from all
</Proxy>
The only problem I had was that my php5 server was running on port 81, and this config failed to allow access via the reverse proxy.
      <Proxy http://php5.akbkhome.com:81/>
#this doesnt work?!!!
Order allow,deny
Allow from all
</Proxy>
Anyway, at least I'm not a spammer anymore..

Mentioned By:
google.com : mod_proxy (93 referals)
google.com : april (81 referals)
google.com : december (46 referals)
google.com : php proxy (46 referals)
google.com : php mod_proxy (36 referals)
google.com : php spammer (33 referals)
google.com : php proxies (30 referals)
google.com : spammer.php (27 referals)
google.com : spammer php (20 referals)
google.com : mod_proxy log (18 referals)
planet-php.org : Planet PHP (15 referals)
google.com : mod_proxy php (15 referals)
google.com : debian mod_proxy (14 referals)
planet.debian.org.hk : Debian HK : Debian @ Hong Kong (13 referals)
google.com : mod_proxy port 25 (10 referals)
google.com : mod_proxy debian (9 referals)
google.com : mod_proxy port (9 referals)
google.com : mod_proxy spammer (8 referals)
google.com : "php proxy" (6 referals)
google.com : spammer (5 referals)

Add Your Comment

Follow us on