Re: Strange CONNECT entries in apache logs

From: OSCAR (oscar7890_at_hotmail.com)
Date: 06/11/03

Next message: p00p_at_instable.net: "Re: Strange CONNECT entries in apache logs"

Previous message: Altheide, Cory B.: "RE: Request for Raw Data"
In reply to: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Next in thread: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Reply: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 10 Jun 2003 23:51:49 -0500
To: BBDO Perú Lima <agencia@bbdoperu.com>

If 200 is a successful connection, do these lines mean i am in
trouble?...

200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
/
default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a HTTP/1.0" 200 -

21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
http://www.nessus.org HTTP/1.0" 200 2347

21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
/thisFiledoesNotexist.html HTTP/1.1" 200 319

21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
2347

21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0" 200 -

21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
/index.php?page=../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1" 200 38508

21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
HTTP/1.1" 200 2347

21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
/////////////// HTTP/1.1" 200 2347

21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
HTTP/1.1" 200 2347

212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0" 200 0

Thanks.

-------
Oscar

On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg wrote:

> On Fri, 6 Jun 2003, Rajkumar S wrote:
>
>>
>> While going through my apache logs, I found some logs indicating
>> CONNECT
>> requests to port 25 of other hosts.
>>
>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
>> HTTP/1.1" 302 5 "-" "-"
>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
>> HTTP/1.0" 200 14409 "-" "-"
>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
>> HTTP/1.0" 200 17757 "-" "-"
>>
>> I found this in 2 machines in indian ip block. My another server at US
>> is not affected by this. Some one else seeing this? Could this be the
>> next wave of spam ??
>
> Some people are using your apache as mailrelay. Did you enable
> proxying? Getting a "200" indicates that the connect to those
> mailservers was successful. Make sure that you configure your
> apache not to accept CONNECTs from everywhere to other than
> special ports, if you need proxying at all (if you don't need
> it disable that feature).
> I see people trying to connect to other servers each day, but
> they get an "405" error.
>
> Cheers,
>
>
>
> Chris.
>
> --
> GeNUA mbH
>
>
>
> -----------------------------------------------------------------------
> -----
> -----------------------------------------------------------------------
> -----
>

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: p00p_at_instable.net: "Re: Strange CONNECT entries in apache logs"

Previous message: Altheide, Cory B.: "RE: Request for Raw Data"
In reply to: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Next in thread: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Reply: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Strange CONNECT entries in apache logs
... no custom error pages in that server. ... > To: BBDO Perú Lima ... >> Some people are using your apache as mailrelay. ...
(Incidents)
Re: apache question
... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
(alt.php)
Re: Apache and SSL
... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
(RedHat)
Re: Apache vs IIS
... Windows Server not on my Linux Server so there for I would chose IIS. ... Not that Apache is bad but ASP.NET is far easier and faster to create good web forms in. ... PHP on a IIS server is rather easy to run once you install PHP on a PC but if you only use PHP why not use Apache for Windows. ...
(alt.php)
Re: HTTP servers on z/OS
... developed by the Apache Software Foundation. ... Also know as IHS ... "...the current IBM HTTP Server for z/OS and IHS for z/OS Powered by Apache, ...
(bit.listserv.ibm-main)