Funnny thing is I've got both in the same server log; some are GET / default.ida..... 200 some are 404 No idea why.... no proxies are enabled on that server. ........... Oscar On Wednesday, Jun 11, 2003, at 16:40 America/Lima, Peter Osterberg wrote: > Not sure but mine always reads > > 172.185.189.199 - - [11/Jun/2003:22:20:56 +0200] "GET > / > default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 > %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f > f%u0078%u0000%u00=a HTTP/1.0" 404 334 "-" "-" > > > At 23:51 2003-06-10 -0500, you wrote: >> If 200 is a successful connection, do these lines mean i am in >> trouble?... >> >> >> 200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET >> / >> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> XX >> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> XX >> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> XX >> XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u >> 90 >> 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u >> 00 78%u0000%u00=a HTTP/1.0" 200 - >> >> 21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET >> http://www.nessus.org HTTP/1.0" 200 2347 >> >> 21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE >> /thisFiledoesNotexist.html HTTP/1.1" 200 319 >> >> 21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200 >> 2347 >> >> 21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0" >> 200 - >> >> 21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET >> /index.php?page=../../../../../../../../../../../../../../../etc/ >> passwd >> HTTP/1.1" 200 38508 >> >> 21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1 >> HTTP/1.1" 200 2347 >> >> 21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET >> ///////////////////////////////////////////////////////////////////// >> // >> ///////////////////////////////////////////////////////////////////// >> // >> ///////////////////////////////////////////////////////////////////// >> // >> ///////////////////////////////////////////////////////////////////// >> // >> ///////////////////////////////////////////////////////////////////// >> // /////////////// HTTP/1.1" 200 2347 >> >> 21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug >> HTTP/1.1" 200 2347 >> >> 212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0" >> 200 0 >> >> >> >> Thanks. >> >> ------- >> Oscar >> >> >> >> >> On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg >> wrote: >> >>> On Fri, 6 Jun 2003, Rajkumar S wrote: >>> >>>> >>>> While going through my apache logs, I found some logs indicating >>>> CONNECT >>>> requests to port 25 of other hosts. >>>> >>>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25 >>>> HTTP/1.1" 302 5 "-" "-" >>>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT >>>> 207.44.188.67:25 >>>> HTTP/1.0" 200 14409 "-" "-" >>>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25 >>>> HTTP/1.0" 200 17757 "-" "-" >>>> >>>> I found this in 2 machines in indian ip block. My another server at >>>> US >>>> is not affected by this. Some one else seeing this? Could this be >>>> the >>>> next wave of spam ?? >>> >>> Some people are using your apache as mailrelay. Did you enable >>> proxying? Getting a "200" indicates that the connect to those >>> mailservers was successful. Make sure that you configure your >>> apache not to accept CONNECTs from everywhere to other than >>> special ports, if you need proxying at all (if you don't need >>> it disable that feature). >>> I see people trying to connect to other servers each day, but >>> they get an "405" error. >>> >>> Cheers, >>> >>> >>> >>> Chris. >>> >>> -- >>> GeNUA mbH >>> >>> >>> >>> --------------------------------------------------------------------- >>> -- ----- >>> --------------------------------------------------------------------- >>> -- ----- >> >> >> >> ---------------------------------------------------------------------- >> ------ >> ---------------------------------------------------------------------- >> ------ >> > ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 10:24:53 PDT