Re: Strange CONNECT entries in apache logs
p00p_at_instable.net
Date: 06/11/03
- Previous message: OSCAR: "Re: Strange CONNECT entries in apache logs"
- In reply to: John Lampe: "Re: Strange CONNECT entries in apache logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Jun 2003 20:48:52 -0400 To: incidents@securityfocus.com
I'm afraid I may be at risk for this type of spam-bouncing. After reading a message in this thread, I did a quick 'cat access_log|grep CONNECT' and I found out that my server responds with 200. However, I tried using telnet to simulate this request, and it looks as though Apache just sent back my index. I'm pretty confused on this. I'm positive I didn't change any setting regarding proxies, and I find it hard to believe that Apache would come with the default setting allowing use as a proxy.
Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 PHP/4.3.2
Everything except Perl itself was built from source.
I am running this server on RedHat Linux 9.0 with all (or all but one or two in the last day or two) available updates from up2date.
Can anyone shed any light on this for me please?
On Tue, Jun 10, 2003 at 04:25:43PM -0700, John Lampe wrote:
> Also interesting to note that my ISP (COMCAST) seems to be scanning some of
> their ranges for this same (old) bug. They are either proactive or a bit on
> the invasive side...
>
> 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
> HTTP/1.0" 405 304
> 24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
> HTTP/1.0" 405 310
>
> John W. Lampe
> https://f00dikator.aceryder.com/
>
> ----- Original Message -----
> From: "Stefan Allemann" <sal@team.inter.net>
> To: "Rajkumar S" <listuser@myrealbox.com>; <incidents@securityfocus.com>
> Sent: Monday, June 09, 2003 9:55 AM
> Subject: AW: Strange CONNECT entries in apache logs
>
>
> I find some of this requests in my logs too;
> on different servers. I think you should have a
> look at http://www.kb.cert.org/vuls/id/150227
> for a discribtion on this.
>
> My apache server answers with 400 or 405 on this
> requests. Your server seems to accept this requests
> (302, 200)!
>
> Stefan
> Inter.net Switzerland
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Rajkumar S [mailto:listuser@myrealbox.com]
> > Gesendet: Freitag, 6. Juni 2003 18:35
> > An: incidents@securityfocus.com
> > Betreff: Strange CONNECT entries in apache logs
> >
> >
> > Hi,
> >
> > While going through my apache logs, I found some logs
> > indicating CONNECT
> > requests to port 25 of other hosts.
> >
> > 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
> > HTTP/1.1" 302 5 "-" "-"
> > 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
> > HTTP/1.0" 200 14409 "-" "-"
> > 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
> > HTTP/1.0" 200 17757 "-" "-"
> >
> > I found this in 2 machines in indian ip block. My another
> > server at US
> > is not affected by this. Some one else seeing this? Could this be the
> > next wave of spam ??
> >
> > raj
> >
>
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.488 / Virus Database: 287 - Release Date: 6/5/2003
>
>
>
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
- application/pgp-signature attachment: stored
- Previous message: OSCAR: "Re: Strange CONNECT entries in apache logs"
- In reply to: John Lampe: "Re: Strange CONNECT entries in apache logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
