Re: strange apache log entry

From: Axel Beckert (beckertat_private)
Date: Mon Aug 12 2002 - 09:53:34 PDT

Next message: H C: "Re: Subseven Scans"

Previous message: Kurc, Marcin A.: "RE: strange apache log entry"
In reply to: nargaat_private: "strange apache log entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

Am Sat, Aug 10, 2002 at 06:50:15PM +0200, nargaat_private schrieb:
> Yesterday I saw this in my logs (apache 2.0.39 acces_log):
> ::1 - - [10/Aug/2002:00:25:56 +0200] "CONNECT :::2121 HTTP/1.1" 400 267
> ::1 - - [10/Aug/2002:00:33:31 +0200] "CONNECT :::2121 HTTP/1.1" 400 267
> 
> error_log:
> [Sat Aug 10 00:25:56 2002] [error] [client ::1] request failed: error
> reading the 
> headers
> [Sat Aug 10 00:33:31 2002] [error] [client ::1] request failed: error
> reading the 
> headers
> 
> It seems like someone wants to connect to my port 2121 

I wouldn't be sure about that.

> through a proxy. The strange thing is, that there isn't any ip.

There are IPs. '::1' is the IPv6 IP for 'localhost', to which this
hostname resolves first on a SuSE 8.0 (and if that fails, it resolves
to '127.0.0.1').

Which means that it's very likely that this request came from one of
your applications.

> My firewall (SuSEfirewall, an ipchains based firewall from suse),
> didn't log anything, snort didn't log anything too. I wasn't able to
> reproduce this by sending the request manually to port 80.

Try 'telnet localhost 80' and then enter 'CONNECT :::2121
HTTP/1.1\n\n', it should reproduce the log entries.

If those log entries become annoying, just comment out the IPv6 IPs
form /etc/hosts and they should disappear.
 
> My question: is this a bug in apache, or what else happened?

Maybe the Apache isn't capable of IPv6 IP addresses (don't guess so)
or the client which issued the request has sent a malformed request.

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckertat_private         Voice:    +49 6133 926530
WWW:        http://www.ecos.de/     Fax:      +49 6133 925152
-------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: Subseven Scans"
Previous message: Kurc, Marcin A.: "RE: strange apache log entry"
In reply to: nargaat_private: "strange apache log entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 12 2002 - 11:37:14 PDT