Security Incidents mailing list archives
Re: HTTP CONNECT attempts
From: nexus-mail () mail ru
Date: Wed, 17 Apr 2002 09:27:12 +0300
DS> Morning, DS> need an advice. I've got more them 20 "HTTP CONNECT" IDS alerts (BugTraq id 4131) DS> from 3 diff. sources for today and yesterday. Looks like some tool is out and people started to use it. DS> The only problem is: I don't understand why people are trying to use port 80 to connect to port 443 (which is usually open DS> to a world in my case). DS> Dmitri Smirnov, SSCP DS> Security Team DS> ---------------------------------------------------------------------------- DS> This list is provided by the SecurityFocus ARIS analyzer service. DS> For more information on this free incident handling, management DS> and tracking system please see: http://aris.securityfocus.com Ports like 80 and 443 are usually open, and caching server's ports are closed from outside. So, if you have mod_proxy enabled in your Apache (or something like that) webserver and do not have appropriate rules to prevent using of this feature, the intruder could pass throuh it. Squid, for example, have the rule that allows to connect only on SSL ports, that is 443 and (AFAIR) 563. But it is commented by default. So you could connect to your local mailer and send a spam from affected localhost (your acl usually includes your local addresses) and often _FROM_ localhost. That means bypassind any firewalling rule to an uncrypted or less guarded ports. -- Best regards, nexus-mail mailto:nexus-mail () mail ru ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP CONNECT attempts Dmitri Smirnov (Apr 16)
- Re: HTTP CONNECT attempts Michal Zalewski (Apr 17)
- Re: HTTP CONNECT attempts nexus-mail (Apr 17)
- Re: HTTP CONNECT attempts Stephen (Apr 17)
- <Possible follow-ups>
- Re: HTTP CONNECT attempts zeno (Apr 16)