go to the httpd.conf and comment lines with
LoadModule *proxy*

but don't worry, there should be a lot more of these entries if you really are an OpenProxy

If you cannot unload proxy modules try to use Limit directive
Limit GET, POST, HEAD -> Allow from all
Limit except GET, POST, HEAD -> Deny from all

find in the apache manual correct syntax

My concern is that each time a 200 was returned. I'll check with my hosting company but they're pretty reliable and secure so I doubt they would have uncommented those lines to begin with (is commented out by default, right?)

The limit directive, Is that for my .htaccess, and if so, how do I know if I have it right? Will I see a 403 or a 405?

My hosting company's reply was that it was likely a spoofed IP. The 200 meant they were successful in viewing the site with a spoofed IP. They also said it was perfectly harmless.

"Does the <hosting company's> case hold water?"

and, of course, what movie is that from

> Hold water? You're paying them for bandwidth, right? :)

For servers with proxy enabled outside of my control, I use something like this in .htaccess:

# Block unsupported HTTP methods
RewriteCond %{REQUEST_METHOD} !^(GET¦HEAD¦POST¦OPTIONS¦TRACE)$
RewriteRule .* - [F]
#
# Block attempts to use our server as a proxy, but allow absolute URIs
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)\ /?http://(www\.)?example\.com/ [NC]
RewriteRule .* - [F]

Replace 'example.com' with your domain name, and include any possible subdomains (such as 'www' shown here). Serves them a nice, tasty 403.

This assumes you've already got

Options +FollowSymLinks
RewriteEngine on

at the top.

Jim

Thanks jd. A couple questions.
1. Where does this go in relation to my 'order deny,allow', or is it important?
2. Are there any characters I need to change because of ww format?
3. Is there any way someone could use this, or some other method, to hijack cgi-script form submissions?
4. You didn't guess the movie

> My hosting company's reply was that it was likely a spoofed IP.

which IP? XX.XXX.240.11? That's was false info from them.

> The 200 meant they were successful in viewing the site with a spoofed IP.

No, that's also false, I belive the sniffer got the content of your own site, the next number after 200 is the size of the reply. 10kB is a typical www page. Since 1.3.3.7 is not answering the 10kB comes from your www.

> They also said it was perfectly harmless.

Being OpenProxy? Wow. That's a was a disinterest from their side. Have they checked if you OP or not?

you can do:

telnet your_ip 80
CONNECT 1.3.3.7:1337 HTTP/1.0 [2xEnter here]

and see for yourself what your serwer will return.

> Are there any characters I need to change because of ww format?

Yes. There is a solid pipe sign, for eg. bettween GET and HEAD in jdMorgan post.

> Is there any way someone could use this, or some other method, to hijack cgi-script form submissions?

that's a subject for 1000 pages of book concerning security. Yes, sniffers often look for insecure formmail scripts. But CONNECT and formail doesn't mix.

> Where does this go in relation to my 'order deny,allow', or is it important?

jdMorgan code does the same thing and a little more than Limit directive "with differend words"

1) As far as the order, it doesn't matter much -- Put it wherever you like in relation to your mod_access code. One thing to realize is that Apache modules each go through your .htaccess code and interpret it, looking for directives that they can handle. Mod_access is invoked before mod_rewrite, and so allow/deny directives are always processed before mod_rewrite directives, regardless of their position in your code. This can be good or bad, depending on what you are doing, but it's something you need to be aware of.

2) As Msr. Lemat said, the broken pipes "¦" need to be edited to make them solid pipes.

3) This exploit has more to do with someone using your server to surf, download, and send e-mail anonymously, while using your bandwidth to do it. If they use an automated agent, then they could run up your bandwidth bill very quickly.

4) Not a movie-quotes expert...

Jim

Thanks all, Now I have all the info I need.

for the movie title you have all the info necessary [google.com] too.

As a folow up, I thought it was strange it took several hours for my hosting company to answer my question through their ticket system, they are usually very quick. I think if nothing else I caught their attention regarding the security of my site, and it seems like they took some action. The inbox is filled with form submissions again and surprisingly, my adsense income has tripled (though I can't imagine why).

jd

RewriteCond %{REQUEST_METHOD}!^(GET¦HEAD¦POST¦OPTIONS¦TRACE)$

Could SEARCH be added to this block as well?

The reason I ask is because one of my sites is getting hammered with the SEARCH requests with these spurious ultra-long URL's.

The pattern has an exclamation point in front -- meaning NOT. If you add SEARCH to the list, it will be allowed.

Jim

got it ...