Re: Weird log entries...

From: zeno (bugtraqat_private)
Date: Thu Mar 28 2002 - 05:21:51 PST

Next message: Kelly Martin: "Re: Weird log entries..."

Previous message: Josh Diakun: "Weird log entries..."
Next in thread: Kelly Martin: "Re: Weird log entries..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

k

This is a proxy scan. By the looks of it you or one of your users went onto irc.
Most networks scan your machine for proxies to make sure you are who you say you are.

Name:    proxy5.monitor.dal.net
Address:  217.10.143.54

Name:    proxy6.monitor.dal.net
Address:  130.228.230.161




This is proof enough.

- zenoat_private



> 
> Hello All,
> 
> I was just shifting through my apache access log file and found some weird
> entries that caught my attention.   After a quick search on the security focus
> mailing list archives I was unable to come up with anything...so maybe someone
> out there could be of some help to explain to me what bug these users are
> trying to exploit.  Here's the log entries:
> 
> 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT 198.186.203.27:6667
> HTTP/1.0" 401 469
> 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT 193.109.122.7:2048/
> HTTP/1.1" 400 344
> 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT 198.186.203.27:6667
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 
> 
> And then of course there were many, many other entries of the same sort.  I
> understand the basics of what they are trying to accomplish (connecting to an
> outside source through my machine...in most of these cases, and IRC
> server)...but Ive never really seen this bug, except for the multiple hits
> over the last two/three weeks.  If someone could care to elaborate, that would
> be greatly appreciated.  Thanks in advance.
> 
> Sincerely,
> 
> Josh Diakun
> ACPO Development Team Member
> http://www.antichildporn.org
> http://www.joshd.ca
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kelly Martin: "Re: Weird log entries..."
Previous message: Josh Diakun: "Weird log entries..."
Next in thread: Kelly Martin: "Re: Weird log entries..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 06:21:43 PST