These are attempts to connect to IRC servers via HTTP-based proxy. It could be people trying to hijack your proxy server (if you had one), but it could also be an IRC server you are connecting to proxy-scanning you. Many IRC servers now scan incoming clients for unsafe proxy servers and K-line those that test positive. Kelly ----- Original Message ----- From: "Josh Diakun" <joshdat_private> To: "Incidents" <INCIDENTSat_private> Sent: Thursday, March 28, 2002 4:06 AM Subject: Weird log entries... > Hello All, > > I was just shifting through my apache access log file and found some weird > entries that caught my attention. After a quick search on the security focus > mailing list archives I was unable to come up with anything...so maybe someone > out there could be of some help to explain to me what bug these users are > trying to exploit. Here's the log entries: > > 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT 198.186.203.27:6667 > HTTP/1.0" 401 469 > 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT 193.109.122.7:2048/ > HTTP/1.1" 400 344 > 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT 198.186.203.27:6667 > HTTP/1.0" 401 469 > 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669 > HTTP/1.0" 401 469 > > > And then of course there were many, many other entries of the same sort. I > understand the basics of what they are trying to accomplish (connecting to an > outside source through my machine...in most of these cases, and IRC > server)...but Ive never really seen this bug, except for the multiple hits > over the last two/three weeks. If someone could care to elaborate, that would > be greatly appreciated. Thanks in advance. > > Sincerely, > > Josh Diakun > ACPO Development Team Member > http://www.antichildporn.org > http://www.joshd.ca > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 06:24:20 PST