Security Incidents mailing list archives
Re: IRC connect through apache ????
From: evyncke () CISCO COM (Eric Vyncke)
Date: Thu, 15 Jun 2000 09:52:13 +0200
Actually, the CONNECT method is use to do TCP session proxy. As Apache can work as a HTTP proxy (usually through HTTP request like 'GET http://www.foo.com') it can also be configued as TCP session proxy (mainly for SSL through request like 'CONNECT www.foo.com:443'. Here, you have someone probing your Apache server for such a wide open TCP proxy. But, as your Apache was safely configured it was rejected (code 405). Just my 0.01 EUR -eric At 10:17 14/06/2000 +0000, arhuman () HOTMAIL COM wrote:
I found this in my apache logs. Do someone know what does it mean ? (referer obfuscated by me -> xx.xx.xx.xx It appears to be a linux box with no domain name) xx.xx.xx.xx - - [14/Jun/2000:08:38:38 +0200] "CONNECT irc.webbernet.net:6667 HTTP/1.0" 405 306 xx.xx.xx.xx - - [14/Jun/2000:08:38:38 +0200] "CONNECT irc.webbernet.net:6667 HTTP/1.0" 405 306 "-" "-" xx.xx.xx.xx - - [14/Jun/2000:08:38:42 +0200] "CONNECT irc.webbernet.net:6667 HTTP/1.0" 405 306 xx.xx.xx.xx - - [14/Jun/2000:08:38:49 +0200] "POST http://ircd.webbernet.net:6667 HTTP/1.0" 405 304 xx.xx.xx.xx - - [14/Jun/2000:08:38:49 +0200] "POST http://ircd.webbernet.net:6667 HTTP/1.0" 405 304 "-" "-" xx.xx.xx.xx - - [14/Jun/2000:08:38:53 +0200] "POST http://ircd.webbernet.net:6667 HTTP/1.0" 405 304 Thanks by advance. Arhuman
Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- update on scans of tcp 12345 AUSCERT#36349 Russell Fulton (Jun 05)
- Re: update on scans of tcp 12345 AUSCERT#36349 Shaw Terwilliger (Jun 08)
- unknown trojan (attached) Jeremy L. Gaddis (Jun 08)
- ** New DDoS / Trojan ** nine (Jun 10)
- Re: ** New DDoS / Trojan ** Pierre Vandevenne (Jun 12)
- Re: unknown trojan (attached) Brandon Kittler (Jun 10)
- Re: unknown trojan (attached) Doug Kahler (Jun 12)
- .:: 14x :: Information :: New DDoS/Trojan ::. Erik Tayler (Jun 13)
- Re: .:: 14x :: Information :: New DDoS/Trojan ::. Lic. Rodolfo Gonzalez Gonzalez (Jun 15)
- IRC connect through apache ???? arhuman () HOTMAIL COM (Jun 14)
- Re: IRC connect through apache ???? Eric Vyncke (Jun 15)
- ** New DDoS / Trojan ** nine (Jun 10)
- <Possible follow-ups>
- Re: update on scans of tcp 12345 AUSCERT#36349 Bryan Scaringe (Jun 08)
- Re: update on scans of tcp 12345 AUSCERT#36349 Luke Dudney (Jun 10)