home
contact :: legal :: webstats
also in this section:

adminz

subject: (Fwd) Re: Strange CONNECT entries in apache logs
posted: Wed, 11 Jun 2003 23:13:50 +0100


on Apache as a mail relay..

------- Forwarded message follows -------
Date sent: Tue, 10 Jun 2003 23:51:49 -0500
Subject: Re: Strange CONNECT entries in apache logs
From: OSCAR <[email protected]>
To: BBDO Perú Lima <[email protected]>

[ Double-click this line for list subscription options ]

If 200 is a successful connection, do these lines mean i am in
trouble?...


200.48.211.58 - - [10/Jun/2003:10:23:21 -0500] "GET
/
default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a HTTP/1.0" 200 -

21.10.41.230 - - [07/Jun/2003:09:34:20 -0500] "GET
http://www.nessus.org HTTP/1.0" 200 2347

21.10.41.230 - - [07/Jun/2003:09:32:49 -0500] "TRACE
/thisFiledoesNotexist.html HTTP/1.1" 200 319

21.10.41.230 - - [07/Jun/2003:09:32:43 -0500] "GET /%2e/ HTTP/1.1" 200
2347

21.10.41.230 - - [07/Jun/2003:09:32:48 -0500] "OPTIONS * HTTP/1.0" 200 -

21.10.41.230 0 - - [07/Jun/2003:09:32:16 -0500] "GET
/index.php?page=../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1" 200 38508

21.10.41.230 - - [07/Jun/2003:09:32:14 -0500] "GET /?sql_debug=1
HTTP/1.1" 200 2347

21.10.41.230 - - [07/Jun/2003:09:31:42 -0500] "GET
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
/////////////// HTTP/1.1" 200 2347

21.10.41.230 - - [07/Jun/2003:09:31:30 -0500] "GET /?Mode=debug
HTTP/1.1" 200 2347

212.253.114.134 - - [17/May/2003:15:34:11 -0500] "HEAD / HTTP/1.0" 200 0



Thanks.

-------
Oscar




On Monday, Jun 9, 2003, at 15:34 America/Lima, Christine Kronberg wrote:

> On Fri, 6 Jun 2003, Rajkumar S wrote:
>
>>
>> While going through my apache logs, I found some logs indicating
>> CONNECT
>> requests to port 25 of other hosts.
>>
>> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
>> HTTP/1.1" 302 5 "-" "-"
>> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
>> HTTP/1.0" 200 14409 "-" "-"
>> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
>> HTTP/1.0" 200 17757 "-" "-"
>>
>> I found this in 2 machines in indian ip block. My another server at US
>> is not affected by this. Some one else seeing this? Could this be the
>> next wave of spam ??
>
> Some people are using your apache as mailrelay. Did you enable
> proxying? Getting a "200" indicates that the connect to those
> mailservers was successful. Make sure that you configure your
> apache not to accept CONNECTs from everywhere to other than
> special ports, if you need proxying at all (if you don't need
> it disable that feature).
> I see people trying to connect to other servers each day, but
> they get an "405" error.
>
> Cheers,
>
>
>
> Chris.
>
> --
> GeNUA mbH
>
>
>
> -----------------------------------------------------------------------
> -----
> -----------------------------------------------------------------------
> -----
>



----------------------------------------------------------------------------
----------------------------------------------------------------------------
------- End of forwarded message -------

---
* Origin: [adminz] tech, security, support (192.168.0.2)

generated by msg2page 0.06 on Jul 21, 2006 at 19:04:28

 search:
this site only
Like this site?
Your donation
is welcome!