[Full-Disclosure] Odd logs

From: Michael Linke (ml_at_intract.org)
Date: 06/04/03

  • Next message: Robert J. Liebsch: "RE: [Full-Disclosure] Zone Alarm" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 4 Jun 2003 21:02:51 +0200

    > -----Ursprüngliche Nachricht-----
    > Von: full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-
    > admin@lists.netsys.com] Im Auftrag von Mark
    > Gesendet: Mittwoch, 4. Juni 2003 18:31
    > An: Lan Guy
    > Cc: Scott M. Algatt; full-disclosure@lists.netsys.com
    >
    >
    >
    > The exert from my log files which had the same (but cant say it caused
    > me any concern)
    >
    > dhpp.csudh.edu - - [01/Jun/2003:21:27:08 +0100] "CONNECT 1.3.3.7:1337
    > HTTP/1.0" 405 303 "-" "-"

    Since long time I see something like this in my apache log files. The
    connect command means that anyone tries to use you http server for http
    tunnelling. But so long the access.log shows any error code like 405, 404,
    400 or 407, so it is running fine.
    But in case that there is Status Code of 200, so you have to check you
    configuration.

    Here is a short collection of some strange log file entries.

    80.181.x.x - - [03/Jun/2003:19:15:17 +0200] "GET /mod_ssl:error:HTTP-request
    HTTP/1.0" 400 520 195.214.x.x - - [15/May/2003:07:08:25 +0200] "-" 408 -
    212.141.x.x - - [17/May/2003:12:43:03 +0200] "OPTIONS * HTTP/1.0" 403 268
    193.127.x.x - - [19/May/2003:02:14:27 +0200] "HEAD / HTTP/1.1" 400 0
    200.203.x.x - - [21/May/2003:11:07:44 +0200] "CONNECT
    cratosthenes.zen.co.uk:25 HTTP/1.0" 403 277 212.66.x.x - -
    [25/May/2003:04:15:25 +0200] "SEARCH / HTTP/1.1" 403 269 216.25.x.x - -
    [01/Jun/2003:09:29:03 +0200] "PROPFIND / HTTP/1.0" 403 268 217.45.x.x - -
    [01/Jun/2003:23:04:15 +0200] "GET /NULL.printer" 404 -

    Regards,
    Michael

    intract - any business anywhere
    Michael Linke
    Netzwerkadministrator
    Heilbronnerstr. 50
    D-73728 Esslingen
    Germany
    Phone : +49 384 16297 50
    Fax : +49 711 35152 89
    mobile : +49 178 51 52 959
    e-mail : ml@intract.org
    ICQ : 141033973
    webside: http://www.intract.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Robert J. Liebsch: "RE: [Full-Disclosure] Zone Alarm"

    Relevant Pages

    • Re: The page is not found (replying only?!)
      ... the log files are reporting error code 401 with a ... substatus error code 2 ... >Let's have a look in the IIS logfiles. ... >check the 404 HTTP substatus. ...
      (microsoft.public.inetserver.iis)
    • Re: Office 2007 Installed But Installation Not Reported as Complete
      ... I have just sent all the log files from another client to your GMail ... Failed to retrieve the requested schedule ... Error code 80041002 means WBEM_E_NOT_FOUND which indicates we had a WMI ...
      (microsoft.public.sms.setup)
    • Re: The page is not found (replying only?!)
      ... i provided an erroneous error code: ... >the log files are reporting error code 401 with a ... >substatus error code 2 ... >>Let's have a look in the IIS logfiles. ...
      (microsoft.public.inetserver.iis)
    • Re: Office 2007 Installed But Installation Not Reported as Complete
      ... I received the log files you sent me. ... SmsClientMethodProvider.log twice: ... Failed to retrieve the requested schedule ... Error code 80041002 means WBEM_E_NOT_FOUND which indicates we had a WMI ...
      (microsoft.public.sms.setup)
    • system shut down cleanly?
      ... I cant get into a blame game with no proof of wrong doing. ... We looked at all the log files. ... unusual occurrences. ... system shutdown. ...
      (Tru64-UNIX-Managers)