Russian hackers using HTTP proxy requests to attack other sites

• June 9, 2015
• technology  
• hackers  
• security  

You really should disable support for proxying in your web server unless you

a) know why you need it enabled, and

b) have carefully configured your proxy not to allow arbitrary requests.

A new attack I started seeing two days ago illustrates why. Below are the URIs of the first and most recent attack of this sort I’ve seen. I’ve modified the Login values to obscure the accounts being attacked. The malware is attempting to use my server to mask the real source of the attack to verify account credentials. If you care about the Internet you shouldn’t make it easy for hackers to exploit your server to conduct attacks.

GET http://auth.mail.ru/cgi-bin/auth?Login=abcdef@mail.ru&Password=lovelyyou&mobile=1&simple=0&useragent=android HTTP/1.1

and

GET http://auth.mail.ru/cgi-bin/auth?Login=abcdef@mail.ru&Password=v37rICJ199&mobile=1&simple=0&useragent=android HTTP/1.1

The HTTP user-agent values were “mobmail android 2.1.7” and “mobmail android 2.2.9” respectively.

Even though I have proxying disabled for my Apache web server I also have the following in my .htaccess file to make it clear why I’m rejecting the request.

RewriteCond %{THE_REQUEST} ^\w+\s+HTTPS?:// [NC]
RewriteRule ^ /blocked.php [END,E=error-notes:proxy-probe]

Note that /blocked.php sets the HTTP status to 400 and the error-notes environment value is included in my log message via %{error-notes}e in the LogFormat string.