Re: Strange CONNECT entries in apache logs

From: OSCAR (oscar7890_at_hotmail.com)
Date: 06/12/03

  • Next message: Michael Loftis: "nscd poisoning?"
    Date: Wed, 11 Jun 2003 21:02:16 -0500
    To: incidents@securityfocus.com
    
    

    Funnny thing is I've got both in the same server log; some are GET /
    default.ida..... 200 some are 404

    No idea why.... no proxies are enabled on that server.

    ...........
    Oscar

    On Wednesday, Jun 11, 2003, at 16:40 America/Lima, Peter Osterberg
    wrote:

    > Not sure but mine always reads
    >
    > 172.185.189.199 - - [11/Jun/2003:22:20:56 +0200] "GET
    > /
    > default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
    > %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
    > f%u0078%u0000%u00=a HTTP/1.0" 404 334 "-" "-"
    >
    >
    > At 23:51 2003-06-10 -0500, you wrote:
    >> If 200 is a successful connection, do these lines mean i am in
    >> trouble?...
    >>
    >>
    >> 200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
    >> /
    >> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >> XX
    >> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >> XX
    >> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >> XX
    >> XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
    >> 90
    >> 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u
    >> 00 78%u0000%u00=a HTTP/1.0" 200 -
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
    >> http://www.nessus.org HTTP/1.0" 200 2347
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
    >> /thisFiledoesNotexist.html HTTP/1.1" 200 319
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
    >> 2347
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0"
    >> 200 -
    >>
    >> 21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
    >> /index.php?page=../../../../../../../../../../../../../../../etc/
    >> passwd
    >> HTTP/1.1" 200 38508
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
    >> HTTP/1.1" 200 2347
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
    >> /////////////////////////////////////////////////////////////////////
    >> //
    >> /////////////////////////////////////////////////////////////////////
    >> //
    >> /////////////////////////////////////////////////////////////////////
    >> //
    >> /////////////////////////////////////////////////////////////////////
    >> //
    >> /////////////////////////////////////////////////////////////////////
    >> // /////////////// HTTP/1.1" 200 2347
    >>
    >> 21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
    >> HTTP/1.1" 200 2347
    >>
    >> 212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0"
    >> 200 0
    >>
    >>
    >>
    >> Thanks.
    >>
    >> -------
    >> Oscar
    >>
    >>
    >>
    >>
    >> On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg
    >> wrote:
    >>
    >>> On Fri, 6 Jun 2003, Rajkumar S wrote:
    >>>
    >>>>
    >>>> While going through my apache logs, I found some logs indicating
    >>>> CONNECT
    >>>> requests to port 25 of other hosts.
    >>>>
    >>>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
    >>>> HTTP/1.1" 302 5 "-" "-"
    >>>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT
    >>>> 207.44.188.67:25
    >>>> HTTP/1.0" 200 14409 "-" "-"
    >>>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
    >>>> HTTP/1.0" 200 17757 "-" "-"
    >>>>
    >>>> I found this in 2 machines in indian ip block. My another server at
    >>>> US
    >>>> is not affected by this. Some one else seeing this? Could this be
    >>>> the
    >>>> next wave of spam ??
    >>>
    >>> Some people are using your apache as mailrelay. Did you enable
    >>> proxying? Getting a "200" indicates that the connect to those
    >>> mailservers was successful. Make sure that you configure your
    >>> apache not to accept CONNECTs from everywhere to other than
    >>> special ports, if you need proxying at all (if you don't need
    >>> it disable that feature).
    >>> I see people trying to connect to other servers each day, but
    >>> they get an "405" error.
    >>>
    >>> Cheers,
    >>>
    >>>
    >>>
    >>> Chris.
    >>>
    >>> --
    >>> GeNUA mbH
    >>>
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> -- -----
    >>> ---------------------------------------------------------------------
    >>> -- -----
    >>
    >>
    >>
    >> ----------------------------------------------------------------------
    >> ------
    >> ----------------------------------------------------------------------
    >> ------
    >>
    >

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Michael Loftis: "nscd poisoning?"