Odd logs

["Michael Linke" <ml () intract org>]

> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-admin () lists netsys com [mailto:full-disclosure- 
> admin () lists netsys com] Im Auftrag von Mark
> Gesendet: Mittwoch, 4. Juni 2003 18:31
> An: Lan Guy
> Cc: Scott M. Algatt; full-disclosure () lists netsys com
>
>
>
> The exert from my log files which had the same (but cant say it caused 
> me any concern)
>
> dhpp.csudh.edu - - [01/Jun/2003:21:27:08 +0100] "CONNECT 1.3.3.7:1337 
> HTTP/1.0" 405 303 "-" "-"


Since long time I see something like this in my apache log files. The
connect command means that anyone tries to use you http server for http
tunnelling. But so long the access.log shows any error code like 405, 404,
400 or 407, so it is running fine. 
But in case that there is Status Code of 200, so you have to check you
configuration. 

Here is a short collection of some strange log file entries.

80.181.x.x - - [03/Jun/2003:19:15:17 +0200] "GET /mod_ssl:error:HTTP-request
HTTP/1.0" 400 520 195.214.x.x - - [15/May/2003:07:08:25 +0200] "-" 408 -
212.141.x.x - - [17/May/2003:12:43:03 +0200] "OPTIONS * HTTP/1.0" 403 268
193.127.x.x - - [19/May/2003:02:14:27 +0200] "HEAD / HTTP/1.1" 400 0
200.203.x.x - - [21/May/2003:11:07:44 +0200] "CONNECT
cratosthenes.zen.co.uk:25 HTTP/1.0" 403 277 212.66.x.x - -
[25/May/2003:04:15:25 +0200] "SEARCH / HTTP/1.1" 403 269 216.25.x.x - -
[01/Jun/2003:09:29:03 +0200] "PROPFIND / HTTP/1.0" 403 268 217.45.x.x - -
[01/Jun/2003:23:04:15 +0200] "GET /NULL.printer" 404 -

Regards,
Michael

intract - any business anywhere
Michael Linke
Netzwerkadministrator
Heilbronnerstr. 50
D-73728 Esslingen
Germany
Phone  : +49 384 16297 50
Fax      : +49 711 35152 89
mobile  : +49 178 51 52 959
e-mail   : ml () intract org
ICQ      : 141033973
webside:   http://www.intract.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html