Re: Strange CONNECT entries in apache logs

From: OSCAR (oscar7890at_private)
Date: Wed Jun 11 2003 - 19:02:16 PDT

Next message: Michael Loftis: "nscd poisoning?"

Previous message: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: OSCAR: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Funnny thing is I've got both in the same server log; some are GET /  
default.ida.....   200 some are 404

No idea why.... no proxies are enabled on that server.

...........
Oscar



On Wednesday, Jun 11, 2003, at 16:40 America/Lima, Peter Osterberg  
wrote:

> Not sure but mine always reads
>
> 172.185.189.199 - - [11/Jun/2003:22:20:56 +0200] "GET  
> / 
> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
> XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 
> %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f 
> f%u0078%u0000%u00=a HTTP/1.0" 404 334 "-" "-"
>
>
> At 23:51 2003-06-10 -0500, you wrote:
>> If 200 is a successful connection, do these lines mean i am in
>> trouble?...
>>
>>
>> 200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
>> /  
>> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>> XX  
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>> XX  
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>> XX  
>> XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u 
>> 90  
>> 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u 
>> 00 78%u0000%u00=a  HTTP/1.0" 200 -
>>
>> 21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
>> http://www.nessus.org HTTP/1.0" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
>> /thisFiledoesNotexist.html HTTP/1.1" 200 319
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
>> 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0"  
>> 200 -
>>
>> 21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
>> /index.php?page=../../../../../../../../../../../../../../../etc/ 
>> passwd
>> HTTP/1.1" 200 38508
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
>> HTTP/1.1" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
>> ///////////////////////////////////////////////////////////////////// 
>> //  
>> ///////////////////////////////////////////////////////////////////// 
>> //  
>> ///////////////////////////////////////////////////////////////////// 
>> //  
>> ///////////////////////////////////////////////////////////////////// 
>> //  
>> ///////////////////////////////////////////////////////////////////// 
>> // /////////////// HTTP/1.1" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
>> HTTP/1.1" 200 2347
>>
>> 212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0"  
>> 200 0
>>
>>
>>
>> Thanks.
>>
>> -------
>> Oscar
>>
>>
>>
>>
>> On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg  
>> wrote:
>>
>>> On Fri, 6 Jun 2003, Rajkumar S wrote:
>>>
>>>>
>>>> While going through my apache logs, I found some logs indicating
>>>> CONNECT
>>>> requests to port 25 of other hosts.
>>>>
>>>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
>>>> HTTP/1.1" 302 5 "-" "-"
>>>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT  
>>>> 207.44.188.67:25
>>>> HTTP/1.0" 200 14409 "-" "-"
>>>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
>>>> HTTP/1.0" 200 17757 "-" "-"
>>>>
>>>> I found this in 2 machines in indian ip block. My another server at  
>>>> US
>>>> is not affected by this. Some one else seeing this? Could this be  
>>>> the
>>>> next wave of spam ??
>>>
>>>   Some people are using your apache as mailrelay. Did you enable
>>>   proxying? Getting a "200" indicates that the connect to those
>>>   mailservers was successful. Make sure that you configure your
>>>   apache not to accept CONNECTs from everywhere to other than
>>>   special ports, if you need proxying at all (if you don't need
>>>   it disable that feature).
>>>   I see people trying to connect to other servers each day, but
>>>   they get an "405" error.
>>>
>>>   Cheers,
>>>
>>>
>>>
>>>                                                           Chris.
>>>
>>> --
>>> GeNUA mbH
>>>
>>>
>>>
>>> --------------------------------------------------------------------- 
>>> -- -----
>>> --------------------------------------------------------------------- 
>>> -- -----
>>
>>
>>
>> ---------------------------------------------------------------------- 
>> ------
>> ---------------------------------------------------------------------- 
>> ------
>>
>



----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Michael Loftis: "nscd poisoning?"
Previous message: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: OSCAR: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 10:24:53 PDT