Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strange apache log entry

From: Axel Beckert <beckert () ecos de>
Date: Mon, 12 Aug 2002 18:53:34 +0200
Hi!

Am Sat, Aug 10, 2002 at 06:50:15PM +0200, narga () gmx net schrieb:

Yesterday I saw this in my logs (apache 2.0.39 acces_log):
::1 - - [10/Aug/2002:00:25:56 +0200] "CONNECT :::2121 HTTP/1.1" 400 267
::1 - - [10/Aug/2002:00:33:31 +0200] "CONNECT :::2121 HTTP/1.1" 400 267

error_log:
[Sat Aug 10 00:25:56 2002] [error] [client ::1] request failed: error
reading the 
headers
[Sat Aug 10 00:33:31 2002] [error] [client ::1] request failed: error
reading the 
headers

It seems like someone wants to connect to my port 2121 


I wouldn't be sure about that.


through a proxy. The strange thing is, that there isn't any ip.


There are IPs. '::1' is the IPv6 IP for 'localhost', to which this
hostname resolves first on a SuSE 8.0 (and if that fails, it resolves
to '127.0.0.1').

Which means that it's very likely that this request came from one of
your applications.


My firewall (SuSEfirewall, an ipchains based firewall from suse),
didn't log anything, snort didn't log anything too. I wasn't able to
reproduce this by sending the request manually to port 80.


Try 'telnet localhost 80' and then enter 'CONNECT :::2121
HTTP/1.1\n\n', it should reproduce the log entries.

If those log entries become annoying, just comment out the IPv6 IPs
form /etc/hosts and they should disappear.
 

My question: is this a bug in apache, or what else happened?


Maybe the Apache isn't capable of IPv6 IP addresses (don't guess so)
or the client which issued the request has sent a malformed request.

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckert () ecos de         Voice:    +49 6133 926530
WWW:        http://www.ecos.de/     Fax:      +49 6133 925152
-------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: