Re: Weird log entries...

["Kelly Martin" <kmartin () pyrzqxgl org>]

These are attempts to connect to IRC servers via HTTP-based proxy.  It could
be people trying to hijack your proxy server (if you had one), but it could
also be an IRC server you are connecting to proxy-scanning you.  Many IRC
servers now scan incoming clients for unsafe proxy servers and K-line those
that test positive.

Kelly

----- Original Message -----
From: "Josh Diakun" <joshd () superaje com>
To: "Incidents" <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, March 28, 2002 4:06 AM
Subject: Weird log entries...


> Hello All,
>
> I was just shifting through my apache access log file and found some weird
> entries that caught my attention.   After a quick search on the security
focus
> mailing list archives I was unable to come up with anything...so maybe
someone
> out there could be of some help to explain to me what bug these users are
> trying to exploit.  Here's the log entries:
>
> 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT
193.109.122.7:2048/
> HTTP/1.1" 400 344
> 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
>
>
> And then of course there were many, many other entries of the same sort.
I
> understand the basics of what they are trying to accomplish (connecting to
an
> outside source through my machine...in most of these cases, and IRC
> server)...but Ive never really seen this bug, except for the multiple hits
> over the last two/three weeks.  If someone could care to elaborate, that
would
> be greatly appreciated.  Thanks in advance.
>
> Sincerely,
>
> Josh Diakun
> ACPO Development Team Member
> http://www.antichildporn.org
> http://www.joshd.ca
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com