Re: Strange CONNECT entries in apache logs

sgaskins_at_interserv.com
Date: 07/10/03

  • Next message: Jake Babbin: "Re: P2P Networking and port 3531"
    Date: 10 Jul 2003 01:52:17 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3EE8EBFE.2050102@obscure.dk>

    I just saw the same kind of entry in my apache log:

    172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "CONNECT
    INBOUND.LEADSOURCE.CC.VERISIGNMAIL.NET:25 HTTP/1.0" 405 1014 "-" "-"
    172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "POST
    http://172.150.203.171:25/ HTTP/1.1" 200 781 "-" "-"

    The interesting item that is new here is that the subsequent line after
    the failed CONNECT entry is a 'POST' entry going back to the same IP addr
    (which BTW happens to fall into .ipt.aol.com according to visualroute)
    back to port 25. I am more concerned now because this POST request was
    status '200' (successful?). What could have been posted back to this
    guy's site?

    Thanks,
    Scott Gaskins

    >Mike Blomgren wrote:
    >> Comments below.
    >>
    >>
    >>>-----Original Message-----
    >>>From: Thomas Jensen [mailto:securityfocus@obscure.dk]
    >>>Sent: den 11 juni 2003 09:53
    >>>To: incidents@securityfocus.com
    >>>Subject: Re: Strange CONNECT entries in apache logs
    >>>
    >
    >>>I just looked in my logs and found the same (CONNECT with a
    >>>200 code). However it might not be the problem it seems to
    >>>be. I tried connecting
    >>>with telnet and execute a CONNECT command - the result was a 200 code
    >>>and the output of my own /index.php page.
    >>>I have found several references to this being a PHP4 bug, which can
    >>>happen when you have an index.php file and a DirectoryIndex index.php
    >>>directive in you Apache conf.
    >>
    >> This behaviour can occur if there is a 'redirect' from a non-existent
    >> file, to an errorpage. The webserver should return a 404 status, since
    >> the request was made to a non-existing page, but the actual 'error
    page'
    >> exists and thus returns 200 status. A very common problem on IIS
    servers
    >> - however seemingly not the case here. The issue is none the less
    >> important to resolve for several reasons: 1) Not falsely attract scum
    >> such as proxy and spam-relayers, 2) Update indexes of search engines.
    >
    >Hmm, personally I don't mind that a few scumbag spammers thinks that
    >they can spam thru my server - as long as they can't ;-)
    >A matter of taste I guess.
    >
    >Regarding (2), I don't think a search engine would try a CONNECT request.
    >
    >For anyone interested in testing their own servers, I use these few
    >lines of python code:
    >
    >import socket
    >s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    >s.connect(('localhost', 80))
    >s.send('CONNECT www.nonexistant.abc:80 HTTP/1.0\r\n\r\n')
    >print s.recv(10240)
    >
    >Replace 'localhost' as appropriate for your configuration.
    >
    >Best regards
    >Thomas Jensen
    >
    >
    >-------------------------------------------------------------------------

    ---
    >-------------------------------------------------------------------------
    ---
    >
    >
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Jake Babbin: "Re: P2P Networking and port 3531"

    Relevant Pages

    • Re: IP address from old subnet appears when browsing network
      ... Networking, Internet, Routing, VPN Troubleshooting on ... How to Setup Windows, Network, VPN & Remote Access on ... Now whenever I browse the network domain, one entry appears from the old subnet showing just the IP address. ... The address belonged to one of our legacy servers which is still in use under the new subnet. ...
      (microsoft.public.windows.server.networking)
    • Re: Cluster Service will not start on Node 1
      ... someone else have anohter trick up their sleeve ... NoQuorumLogging on both servers, ... called to start cluster. ... Entry ...
      (microsoft.public.windows.server.clustering)
    • Re: lmhosts entries
      ... Only the last 0x1b entry will be cached any how? ... and replicated the WINS Servers if you use more than one. ... they then fire up Outlook and then enter their exchange domain user ... I am trying to build in some tolerance if the pdc emulator is unavailable ...
      (microsoft.public.windows.server.general)
    • Re: Fotopic
      ... know the registrar was TUCOWS? ... It has an entry in Whois, because the paid-for registration period is ... always seen Whois and DNS as separate, if related, systems. ... DNS servers IIRC). ...
      (uk.railway)
    • Alternate Access Mappings setup question
      ... In our WSS 3.0 deployment we have 2 load balanced front end servers ... and a DNS entry for our Sharepoint application http://intranet.company.net. ... When i configured WSS 3.0 on the first front end server, ... So i went to change the public url of the existing entry to the DNS ...
      (microsoft.public.sharepoint.windowsservices)