[SignMeTheHELLUp]

"How my Apache server became a malicious free internet proxy"

tl;dr: Negligence, and failing to RTFM.

What really horrifies me is the author doesn't seem to understand the magnitude of their error. The final quip at the end illustrates this. "Ha! someone searched manslaughter over my proxy! I had a lot of fun reading my open proxy logs..."

I wonder how many stolen credit card transactions were done over his proxy, causing headaches for many innocent people? Or worse?

[Laforet]

I've had similar issues with an open source project in which a simple proxy was established with FiddlerCore to tap traffic to a web browser, pretty tame stuff and nothing malicious.

Problem is that by default it was configured to listen on 0.0.0.0:80, making it an open HTTP proxy that everybody on the same LAN could connect to. The only real threat so far is that somebody could send in a large volume of traffic to crash the proxy, but wait and behold....

...some users were running it from hosts that are either a) directly connected to the public IP space without a firewall and b) behind NAT, but with lazy DMZ/port forwarding configuration that exposes their port 80 to the internet anyway. For about a year people have been obliviously hosting open HTTP proxies from home.

Eventually somebody found out and it took another couple of months of back and forth issue reporting and PR tugging battles to get it properly patched. Opsec is hard.

[duskwuff]

Bonus TL;DR: By setting "ProxyRequests On", which is only required to use Apache as a forward web proxy. (There's even a big red warning in the documentation about this!)

[MariuszGalus]

(: