Weird log entries...

From: Josh Diakun (joshd@superaje.com)
Date: 03/28/02 

From: "Josh Diakun" <joshd@superaje.com>
To: "Incidents" <INCIDENTS@SECURITYFOCUS.COM>
Date: Thu, 28 Mar 2002 05:06:33 -0500

Hello All,

I was just shifting through my apache access log file and found some weird
entries that caught my attention. After a quick search on the security focus
mailing list archives I was unable to come up with anything...so maybe someone
out there could be of some help to explain to me what bug these users are
trying to exploit. Here's the log entries:

216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT 198.186.203.27:6667
HTTP/1.0" 401 469
130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT 193.109.122.7:2048/
HTTP/1.1" 400 344
217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT 198.186.203.27:6667
HTTP/1.0" 401 469
217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469
217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669
HTTP/1.0" 401 469

And then of course there were many, many other entries of the same sort. I
understand the basics of what they are trying to accomplish (connecting to an
outside source through my machine...in most of these cases, and IRC
server)...but Ive never really seen this bug, except for the multiple hits
over the last two/three weeks. If someone could care to elaborate, that would
be greatly appreciated. Thanks in advance.

Sincerely,

Josh Diakun
ACPO Development Team Member
http://www.antichildporn.org
http://www.joshd.ca

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: ASM vs HLL : absurd war
    ... "wolfgang kern" writes: ... > | would assemble to? ... Alas Hugi's page no longer has the entries ... 1st bug in MS win2k source code found after 20 minutes: ...
    (alt.lang.asm)
  • [CHECKER] warning in 2.4.19/fs/ext2/dir.c:ext2_find_entry where a dir may contain two entries with i
    ... [BUG] ... A dir may contain two dir entries with identical names. ... dir entry with the same name. ... files, 1 dirs, 3 nodes ...
    (Linux-Kernel)
  • Re: new Areca driver in 2.6.16-rc6-mm2 appears to be broken
    ... Areca's firmware has max sg entries of 38 limit. ... In my debug driver I had add this condition check. ... But if I modify it more than 256, the bug appeared. ... that I'd be very surprised if this fs corruption isn't due to the ...
    (Linux-Kernel)
  • Re: FAQ updated (was Re: XFS breakage...)
    ... Does the bug only occur during a crash? ... directory that is in a specific node/btree format (many entries), ...
    (Linux-Kernel)
  • Re: Missing ASP.Net tab in IIS
    ... I believe I already checked these keys (no errant entries.) Guess I'll have to try the other prolonged steps as indicated in the comments for this bug. ... See if any of the workarounds listed in my bug report help you get it back: ... > and even reinstalling Framework 2.0 to no avail. ...
    (microsoft.public.dotnet.framework.aspnet)