Security Incidents mailing list archives
Re: Strange CONNECT entries in apache logs
From: "John Lampe" <j_lampe () bellsouth net>
Date: Tue, 10 Jun 2003 16:25:43 -0700
Also interesting to note that my ISP (COMCAST) seems to be scanning some of their ranges for this same (old) bug. They are either proactive or a bit on the invasive side... 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25 HTTP/1.0" 405 304 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25 HTTP/1.0" 405 310 John W. Lampe https://f00dikator.aceryder.com/ ----- Original Message ----- From: "Stefan Allemann" <sal () team inter net> To: "Rajkumar S" <listuser () myrealbox com>; <incidents () securityfocus com> Sent: Monday, June 09, 2003 9:55 AM Subject: AW: Strange CONNECT entries in apache logs I find some of this requests in my logs too; on different servers. I think you should have a look at http://www.kb.cert.org/vuls/id/150227 for a discribtion on this. My apache server answers with 400 or 405 on this requests. Your server seems to accept this requests (302, 200)! Stefan Inter.net Switzerland
-----Ursprüngliche Nachricht----- Von: Rajkumar S [mailto:listuser () myrealbox com] Gesendet: Freitag, 6. Juni 2003 18:35 An: incidents () securityfocus com Betreff: Strange CONNECT entries in apache logs Hi, While going through my apache logs, I found some logs indicating CONNECT requests to port 25 of other hosts. 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25 HTTP/1.1" 302 5 "-" "-" 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25 HTTP/1.0" 200 14409 "-" "-" 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25 HTTP/1.0" 200 17757 "-" "-" I found this in 2 machines in indian ip block. My another server at US is not affected by this. Some one else seeing this? Could this be the next wave of spam ?? raj
---------------------------------------------------------------------------- ---------------------------------------------------------------------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.488 / Virus Database: 287 - Release Date: 6/5/2003 ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- AW: Strange CONNECT entries in apache logs Stefan Allemann (Jun 10)
- Re: Strange CONNECT entries in apache logs John Lampe (Jun 10)
- Re: Strange CONNECT entries in apache logs p00p (Jun 11)
- Re: Strange CONNECT entries in apache logs John Lampe (Jun 10)