Re: Strange CONNECT entries in apache logs

From: John Lampe (j_lampeat_private)
Date: Tue Jun 10 2003 - 16:25:43 PDT

Next message: Boulineau Danny C Contractor 33 IOS/DOOO: "Request for Raw Data"

Previous message: Dimitri Limanovski: "Attack(s) caught by Okena"
In reply to: Stefan Allemann: "AW: Strange CONNECT entries in apache logs"
Next in thread: p00pat_private: "Re: Strange CONNECT entries in apache logs"
Reply: p00pat_private: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also interesting to note that my ISP (COMCAST) seems to be scanning some of
their ranges for this same (old) bug.  They are either proactive or a bit on
the invasive side...

24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
HTTP/1.0" 405 304
24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
HTTP/1.0" 405 310

John W. Lampe
https://f00dikator.aceryder.com/

----- Original Message -----
From: "Stefan Allemann" <salat_private>
To: "Rajkumar S" <listuserat_private>; <incidentsat_private>
Sent: Monday, June 09, 2003 9:55 AM
Subject: AW: Strange CONNECT entries in apache logs


I find some of this requests in my logs too;
on different servers. I think you should have a
look at http://www.kb.cert.org/vuls/id/150227
for a discribtion on this.

My apache server answers with 400 or 405 on this
requests. Your server seems to accept this requests
(302, 200)!

Stefan
Inter.net Switzerland


> -----Ursprüngliche Nachricht-----
> Von: Rajkumar S [mailto:listuserat_private]
> Gesendet: Freitag, 6. Juni 2003 18:35
> An: incidentsat_private
> Betreff: Strange CONNECT entries in apache logs
>
>
> Hi,
>
> While going through my apache logs, I found some logs
> indicating CONNECT
> requests to port 25 of other hosts.
>
> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
> HTTP/1.1" 302 5 "-" "-"
> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
> HTTP/1.0" 200 14409 "-" "-"
> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
> HTTP/1.0" 200 17757 "-" "-"
>
> I found this in 2 machines in indian ip block. My another
> server at US
> is not affected by this. Some one else seeing this? Could this be the
> next wave of spam ??
>
> raj
>

----------------------------------------------------------------------------
----------------------------------------------------------------------------


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.488 / Virus Database: 287 - Release Date: 6/5/2003



----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Boulineau Danny C Contractor 33 IOS/DOOO: "Request for Raw Data"
Previous message: Dimitri Limanovski: "Attack(s) caught by Okena"
In reply to: Stefan Allemann: "AW: Strange CONNECT entries in apache logs"
Next in thread: p00pat_private: "Re: Strange CONNECT entries in apache logs"
Reply: p00pat_private: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 14:27:16 PDT