Re: Strange CONNECT entries in apache logs

• Previous message: James C. Slora Jr.: "Re: Help with an odd log file..."
• Maybe in reply to: Rajkumar S: "Strange CONNECT entries in apache logs"
• Next in thread: OSCAR: "Re: Strange CONNECT entries in apache logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Jun 2003 21:02:16 -0500
To: incidents@securityfocus.com

Funnny thing is I've got both in the same server log; some are GET /
default.ida..... 200 some are 404

No idea why.... no proxies are enabled on that server.

...........
Oscar

On Wednesday, Jun 11, 2003, at 16:40 America/Lima, Peter Osterberg
wrote:

> Not sure but mine always reads
>
> 172.185.189.199 - - [11/Jun/2003:22:20:56 +0200] "GET
> /
> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
> %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
> f%u0078%u0000%u00=a HTTP/1.0" 404 334 "-" "-"
>
>
> At 23:51 2003-06-10 -0500, you wrote:
>> If 200 is a successful connection, do these lines mean i am in
>> trouble?...
>>
>>
>> 200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
>> /
>> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> XX
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> XX
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> XX
>> XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
>> 90
>> 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u
>> 00 78%u0000%u00=a HTTP/1.0" 200 -
>>
>> 21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
>> http://www.nessus.org HTTP/1.0" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
>> /thisFiledoesNotexist.html HTTP/1.1" 200 319
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
>> 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0"
>> 200 -
>>
>> 21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
>> /index.php?page=../../../../../../../../../../../../../../../etc/
>> passwd
>> HTTP/1.1" 200 38508
>>
>> 21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
>> HTTP/1.1" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
>> /////////////////////////////////////////////////////////////////////
>> //
>> /////////////////////////////////////////////////////////////////////
>> //
>> /////////////////////////////////////////////////////////////////////
>> //
>> /////////////////////////////////////////////////////////////////////
>> //
>> /////////////////////////////////////////////////////////////////////
>> // /////////////// HTTP/1.1" 200 2347
>>
>> 21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
>> HTTP/1.1" 200 2347
>>
>> 212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0"
>> 200 0
>>
>>
>>
>> Thanks.
>>
>> -------
>> Oscar
>>
>>
>>
>>
>> On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg
>> wrote:
>>
>>> On Fri, 6 Jun 2003, Rajkumar S wrote:
>>>
>>>>
>>>> While going through my apache logs, I found some logs indicating
>>>> CONNECT
>>>> requests to port 25 of other hosts.
>>>>
>>>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
>>>> HTTP/1.1" 302 5 "-" "-"
>>>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT
>>>> 207.44.188.67:25
>>>> HTTP/1.0" 200 14409 "-" "-"
>>>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
>>>> HTTP/1.0" 200 17757 "-" "-"
>>>>
>>>> I found this in 2 machines in indian ip block. My another server at
>>>> US
>>>> is not affected by this. Some one else seeing this? Could this be
>>>> the
>>>> next wave of spam ??
>>>
>>> Some people are using your apache as mailrelay. Did you enable
>>> proxying? Getting a "200" indicates that the connect to those
>>> mailservers was successful. Make sure that you configure your
>>> apache not to accept CONNECTs from everywhere to other than
>>> special ports, if you need proxying at all (if you don't need
>>> it disable that feature).
>>> I see people trying to connect to other servers each day, but
>>> they get an "405" error.
>>>
>>> Cheers,
>>>
>>>
>>>
>>> Chris.
>>>
>>> --
>>> GeNUA mbH
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -- -----
>>> ---------------------------------------------------------------------
>>> -- -----
>>
>>
>>
>> ----------------------------------------------------------------------
>> ------
>> ----------------------------------------------------------------------
>> ------
>>
>

----------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: James C. Slora Jr.: "Re: Help with an odd log file..."
• Maybe in reply to: Rajkumar S: "Strange CONNECT entries in apache logs"
• Next in thread: OSCAR: "Re: Strange CONNECT entries in apache logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]