Re: Weird log entries...
From: Kelly Martin (kmartin@pyrzqxgl.org)Date: 03/28/02
- Previous message: zeno: "Re: Weird log entries..."
- In reply to: Josh Diakun: "Weird log entries..."
- Next in thread: Florian Weimer: "Re: Weird log entries..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kelly Martin" <kmartin@pyrzqxgl.org> To: "Josh Diakun" <joshd@superaje.com>, "Incidents" <INCIDENTS@SECURITYFOCUS.COM> Date: Thu, 28 Mar 2002 07:47:07 -0600
These are attempts to connect to IRC servers via HTTP-based proxy. It could
be people trying to hijack your proxy server (if you had one), but it could
also be an IRC server you are connecting to proxy-scanning you. Many IRC
servers now scan incoming clients for unsafe proxy servers and K-line those
that test positive.
Kelly
----- Original Message -----
From: "Josh Diakun" <joshd@superaje.com>
To: "Incidents" <INCIDENTS@SECURITYFOCUS.COM>
Sent: Thursday, March 28, 2002 4:06 AM
Subject: Weird log entries...
> Hello All,
>
> I was just shifting through my apache access log file and found some weird
> entries that caught my attention. After a quick search on the security
focus
> mailing list archives I was unable to come up with anything...so maybe
someone
> out there could be of some help to explain to me what bug these users are
> trying to exploit. Here's the log entries:
>
> 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT
193.109.122.7:2048/
> HTTP/1.1" 400 344
> 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669
> HTTP/1.0" 401 469
>
>
> And then of course there were many, many other entries of the same sort.
I
> understand the basics of what they are trying to accomplish (connecting to
an
> outside source through my machine...in most of these cases, and IRC
> server)...but Ive never really seen this bug, except for the multiple hits
> over the last two/three weeks. If someone could care to elaborate, that
would
> be greatly appreciated. Thanks in advance.
>
> Sincerely,
>
> Josh Diakun
> ACPO Development Team Member
> http://www.antichildporn.org
> http://www.joshd.ca
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: zeno: "Re: Weird log entries..."
- In reply to: Josh Diakun: "Weird log entries..."
- Next in thread: Florian Weimer: "Re: Weird log entries..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
