Weird log entries...

From: Josh Diakun (joshdat_private)
Date: Thu Mar 28 2002 - 02:06:33 PST

Next message: zeno: "Re: Weird log entries..."

Previous message: Hugo van der Kooij: "RE: Sendmail DOS ?"
Next in thread: zeno: "Re: Weird log entries..."
Reply: Kelly Martin: "Re: Weird log entries..."
Reply: Florian Weimer: "Re: Weird log entries..."
Reply: Cushing, David: "RE: Weird log entries..."
Reply: Michael Ward: "RE: Weird log entries..."
Reply: John Hartley: "RE: Weird log entries..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello All,

I was just shifting through my apache access log file and found some weird
entries that caught my attention.   After a quick search on the security focus
mailing list archives I was unable to come up with anything...so maybe someone
out there could be of some help to explain to me what bug these users are
trying to exploit.  Here's the log entries:

216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT 198.186.203.27:6667
HTTP/1.0" 401 469
130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT 193.109.122.7:2048/
HTTP/1.1" 400 344
217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT 198.186.203.27:6667
HTTP/1.0" 401 469
217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469


And then of course there were many, many other entries of the same sort.  I
understand the basics of what they are trying to accomplish (connecting to an
outside source through my machine...in most of these cases, and IRC
server)...but Ive never really seen this bug, except for the multiple hits
over the last two/three weeks.  If someone could care to elaborate, that would
be greatly appreciated.  Thanks in advance.

Sincerely,

Josh Diakun
ACPO Development Team Member
http://www.antichildporn.org
http://www.joshd.ca


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: zeno: "Re: Weird log entries..."
Previous message: Hugo van der Kooij: "RE: Sendmail DOS ?"
Next in thread: zeno: "Re: Weird log entries..."
Reply: Kelly Martin: "Re: Weird log entries..."
Reply: Florian Weimer: "Re: Weird log entries..."
Reply: Cushing, David: "RE: Weird log entries..."
Reply: Michael Ward: "RE: Weird log entries..."
Reply: John Hartley: "RE: Weird log entries..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 05:28:28 PST