Re: Strange CONNECT entries in apache logs

[p00p () instable net]

I'm afraid I may be at risk for this type of spam-bouncing.  After reading a message in this thread, I did a quick 'cat 
access_log|grep CONNECT' and I found out that my server responds with 200.  However, I tried using telnet to simulate 
this request, and it looks as though Apache just sent back my index.  I'm pretty confused on this.  I'm positive I 
didn't change any setting regarding proxies, and I find it hard to believe that Apache would come with the default 
setting allowing use as a proxy.  

Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 PHP/4.3.2
Everything except Perl itself was built from source.

I am running this server on RedHat Linux 9.0 with all (or all but one or two in the last day or two) available updates 
from up2date.

Can anyone shed any light on this for me please?

On Tue, Jun 10, 2003 at 04:25:43PM -0700, John Lampe wrote:
> Also interesting to note that my ISP (COMCAST) seems to be scanning some of
> their ranges for this same (old) bug.  They are either proactive or a bit on
> the invasive side...
>
> 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
> HTTP/1.0" 405 304
> 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
> HTTP/1.0" 405 310
>
> John W. Lampe
> https://f00dikator.aceryder.com/
>
> ----- Original Message -----
> From: "Stefan Allemann" <sal () team inter net>
> To: "Rajkumar S" <listuser () myrealbox com>; <incidents () securityfocus com>
> Sent: Monday, June 09, 2003 9:55 AM
> Subject: AW: Strange CONNECT entries in apache logs
>
>
> I find some of this requests in my logs too;
> on different servers. I think you should have a
> look at http://www.kb.cert.org/vuls/id/150227
> for a discribtion on this.
>
> My apache server answers with 400 or 405 on this
> requests. Your server seems to accept this requests
> (302, 200)!
>
> Stefan
> Inter.net Switzerland
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Rajkumar S [mailto:listuser () myrealbox com]
> > Gesendet: Freitag, 6. Juni 2003 18:35
> > An: incidents () securityfocus com
> > Betreff: Strange CONNECT entries in apache logs
> >
> >
> > Hi,
> >
> > While going through my apache logs, I found some logs
> > indicating CONNECT
> > requests to port 25 of other hosts.
> >
> > 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
> > HTTP/1.1" 302 5 "-" "-"
> > 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
> > HTTP/1.0" 200 14409 "-" "-"
> > 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
> > HTTP/1.0" 200 17757 "-" "-"
> >
> > I found this in 2 machines in indian ip block. My another
> > server at US
> > is not affected by this. Some one else seeing this? Could this be the
> > next wave of spam ??
> >
> > raj
>
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.488 / Virus Database: 287 - Release Date: 6/5/2003
>
>
>
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------

Attachment: _bin
Description: