Security Incidents mailing list archives
Re: strange apache log entry
From: Axel Beckert <beckert () ecos de>
Date: Mon, 12 Aug 2002 18:53:34 +0200
Hi! Am Sat, Aug 10, 2002 at 06:50:15PM +0200, narga () gmx net schrieb:
Yesterday I saw this in my logs (apache 2.0.39 acces_log): ::1 - - [10/Aug/2002:00:25:56 +0200] "CONNECT :::2121 HTTP/1.1" 400 267 ::1 - - [10/Aug/2002:00:33:31 +0200] "CONNECT :::2121 HTTP/1.1" 400 267 error_log: [Sat Aug 10 00:25:56 2002] [error] [client ::1] request failed: error reading the headers [Sat Aug 10 00:33:31 2002] [error] [client ::1] request failed: error reading the headers It seems like someone wants to connect to my port 2121
I wouldn't be sure about that.
through a proxy. The strange thing is, that there isn't any ip.
There are IPs. '::1' is the IPv6 IP for 'localhost', to which this hostname resolves first on a SuSE 8.0 (and if that fails, it resolves to '127.0.0.1'). Which means that it's very likely that this request came from one of your applications.
My firewall (SuSEfirewall, an ipchains based firewall from suse), didn't log anything, snort didn't log anything too. I wasn't able to reproduce this by sending the request manually to port 80.
Try 'telnet localhost 80' and then enter 'CONNECT :::2121 HTTP/1.1\n\n', it should reproduce the log entries. If those log entries become annoying, just comment out the IPv6 IPs form /etc/hosts and they should disappear.
My question: is this a bug in apache, or what else happened?
Maybe the Apache isn't capable of IPv6 IP addresses (don't guess so) or the client which issued the request has sent a malformed request. Kind regards, Axel Beckert -- ------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: beckert () ecos de Voice: +49 6133 926530 WWW: http://www.ecos.de/ Fax: +49 6133 925152 ------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange apache log entry narga (Aug 12)
- Re: strange apache log entry Axel Beckert (Aug 12)
- <Possible follow-ups>
- RE: strange apache log entry Kurc, Marcin A. (Aug 12)