Re: Strange CONNECT entries in apache logs

sgaskins_at_interserv.com
Date: 07/10/03

  • Next message: Jake Babbin: "Re: P2P Networking and port 3531"
    Date: 10 Jul 2003 01:52:17 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3EE8EBFE.2050102@obscure.dk>

    I just saw the same kind of entry in my apache log:

    172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "CONNECT
    INBOUND.LEADSOURCE.CC.VERISIGNMAIL.NET:25 HTTP/1.0" 405 1014 "-" "-"
    172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "POST
    http://172.150.203.171:25/ HTTP/1.1" 200 781 "-" "-"

    The interesting item that is new here is that the subsequent line after
    the failed CONNECT entry is a 'POST' entry going back to the same IP addr
    (which BTW happens to fall into .ipt.aol.com according to visualroute)
    back to port 25. I am more concerned now because this POST request was
    status '200' (successful?). What could have been posted back to this
    guy's site?

    Thanks,
    Scott Gaskins

    >Mike Blomgren wrote:
    >> Comments below.
    >>
    >>
    >>>-----Original Message-----
    >>>From: Thomas Jensen [mailto:securityfocus@obscure.dk]
    >>>Sent: den 11 juni 2003 09:53
    >>>To: incidents@securityfocus.com
    >>>Subject: Re: Strange CONNECT entries in apache logs
    >>>
    >
    >>>I just looked in my logs and found the same (CONNECT with a
    >>>200 code). However it might not be the problem it seems to
    >>>be. I tried connecting
    >>>with telnet and execute a CONNECT command - the result was a 200 code
    >>>and the output of my own /index.php page.
    >>>I have found several references to this being a PHP4 bug, which can
    >>>happen when you have an index.php file and a DirectoryIndex index.php
    >>>directive in you Apache conf.
    >>
    >> This behaviour can occur if there is a 'redirect' from a non-existent
    >> file, to an errorpage. The webserver should return a 404 status, since
    >> the request was made to a non-existing page, but the actual 'error
    page'
    >> exists and thus returns 200 status. A very common problem on IIS
    servers
    >> - however seemingly not the case here. The issue is none the less
    >> important to resolve for several reasons: 1) Not falsely attract scum
    >> such as proxy and spam-relayers, 2) Update indexes of search engines.
    >
    >Hmm, personally I don't mind that a few scumbag spammers thinks that
    >they can spam thru my server - as long as they can't ;-)
    >A matter of taste I guess.
    >
    >Regarding (2), I don't think a search engine would try a CONNECT request.
    >
    >For anyone interested in testing their own servers, I use these few
    >lines of python code:
    >
    >import socket
    >s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    >s.connect(('localhost', 80))
    >s.send('CONNECT www.nonexistant.abc:80 HTTP/1.0\r\n\r\n')
    >print s.recv(10240)
    >
    >Replace 'localhost' as appropriate for your configuration.
    >
    >Best regards
    >Thomas Jensen
    >
    >
    >-------------------------------------------------------------------------

    ---
    >-------------------------------------------------------------------------
    ---
    >
    >
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Jake Babbin: "Re: P2P Networking and port 3531"