Security Incidents mailing list archives
Re: Strange CONNECT entries in apache logs
From: OSCAR <oscar7890 () hotmail com>
Date: Wed, 11 Jun 2003 21:02:16 -0500
Funnny thing is I've got both in the same server log; some are GET / default.ida..... 200 some are 404
No idea why.... no proxies are enabled on that server. ........... OscarOn Wednesday, Jun 11, 2003, at 16:40 America/Lima, Peter Osterberg wrote:
Not sure but mine always reads172.185.189.199 - - [11/Jun/2003:22:20:56 +0200] "GET / default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0" 404 334 "-" "-"At 23:51 2003-06-10 -0500, you wrote:If 200 is a successful connection, do these lines mean i am in trouble?... 200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET/ default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u 90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u 00 78%u0000%u00=a HTTP/1.0" 200 -21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET http://www.nessus.org HTTP/1.0" 200 2347 21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE /thisFiledoesNotexist.html HTTP/1.1" 200 319 21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200 234721.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0" 200 -21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET/index.php?page=../../../../../../../../../../../../../../../etc/ passwdHTTP/1.1" 200 38508 21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1 HTTP/1.1" 200 2347 21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET///////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////////////////////////// // /////////////// HTTP/1.1" 200 234721.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug HTTP/1.1" 200 2347212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0" 200 0Thanks. ------- OscarOn Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg wrote:On Fri, 6 Jun 2003, Rajkumar S wrote:While going through my apache logs, I found some logs indicating CONNECT requests to port 25 of other hosts. 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25 HTTP/1.1" 302 5 "-" "-"130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25HTTP/1.0" 200 14409 "-" "-" 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25 HTTP/1.0" 200 17757 "-" "-"I found this in 2 machines in indian ip block. My another server at US is not affected by this. Some one else seeing this? Could this be thenext wave of spam ??Some people are using your apache as mailrelay. Did you enable proxying? Getting a "200" indicates that the connect to those mailservers was successful. Make sure that you configure your apache not to accept CONNECTs from everywhere to other than special ports, if you need proxying at all (if you don't need it disable that feature). I see people trying to connect to other servers each day, but they get an "405" error. Cheers, Chris. -- GeNUA mbH--------------------------------------------------------------------- -- ----- --------------------------------------------------------------------- -- --------------------------------------------------------------------------- ------ ---------------------------------------------------------------------- ------
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange CONNECT entries in apache logs, (continued)
- Re: Strange CONNECT entries in apache logs Tomasz Onyszko (Jun 09)
- Re: Strange CONNECT entries in apache logs Paul Wilson (Jun 10)
- Re: Strange CONNECT entries in apache logs Christine Kronberg (Jun 10)
- Re: Strange CONNECT entries in apache logs OSCAR (Jun 11)
- Re: Strange CONNECT entries in apache logs Christine Kronberg (Jun 12)
- Re: Strange CONNECT entries in apache logs OSCAR (Jun 12)
- Re: Strange CONNECT entries in apache logs OSCAR (Jun 11)
- Re: Strange CONNECT entries in apache logs Darryl Luff (Jun 11)
- Re: Strange CONNECT entries in apache logs Thomas Jensen (Jun 11)
- Re: Strange CONNECT entries in apache logs Christine Kronberg (Jun 12)
- Re: Strange CONNECT entries in apache logs Thomas Jensen (Jun 12)
- Re: Strange CONNECT entries in apache logs Christine Kronberg (Jun 12)
- Re: Strange CONNECT entries in apache logs OSCAR (Jun 12)
- Re: Strange CONNECT entries in apache logs OSCAR (Jun 12)
- Re: Strange CONNECT entries in apache logs Thomas Jensen (Jun 13)