Received: (from majordom@localhost)
	by hyperreal.com (8.8.5/8.8.5) id KAA10309;
	Mon, 2 Jun 1997 10:36:55 -0700 (PDT)
Received: from eastwood.aldigital.algroup.co.uk
 (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hyperreal.com (8.8.5/8.8.5) with SMTP id KAA10210;
	Mon, 2 Jun 1997 10:36:07 -0700 (PDT)
Received: from gonzo.ben.algroup.co.uk (gonzo.ben.algroup.co.uk
 [193.133.15.1]) by eastwood.aldigital.algroup.co.uk (8.6.12/8.6.12) with SMTP
 id RAA09086; Mon, 2 Jun 1997 17:34:22 GMT
Subject: Re: Security problem ?
To: new-httpd@apache.org
Date: Mon, 2 Jun 1997 18:23:04 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: cjcason@mail.oaks.com.au, new-httpd@hyperreal.com
In-Reply-To: <Pine.NEB.3.96.970602144621.10990D-100000@localhost> from "Rob
 Hartill" at Jun 2, 97 02:53:52 pm
X-Mailer: ELM [version 2.4 PL24 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <9706021823.aa04297@gonzo.ben.algroup.co.uk>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Rob Hartill wrote:
> On Mon, 2 Jun 1997, Chris Cason wrote:
> > 00  6D 61 6E 68 61 74 74 61-6E 2E 74 68 69 72 64 77   manhattan.thirdw
> > 10  61 76 65 2E 6E 65 74 20-2D 20 2D 20 5B 30 31 2F   ave.net - - [01/
> > 20  4A 75 6E 2F 31 39 39 37-3A 31 32 3A 33 38 3A 31   Jun/1997:12:38:1
> > 30  36 20 2D 30 37 30 30 5D-20 22 FF FA 25 03 72 6F   6 -0700] "..%.ro
> > 40  6F 74 FF F0 3F 22 20 34-30 30 20 2D 20 22 2D 22   ot..?" 400 - "-"
> > 50  20 22 2D 22 0A 6D 61 6E-68 61 74 74 61 6E 2E 74    "-".manhattan.t
> > 60  68 69 72 64 77 61 76 65-2E 6E 65 74 20 2D 20 2D   hirdwave.net - -
> > 70  20 5B 30 31 2F 4A 75 6E-2F 31 39 39 37 3A 31 32    [01/Jun/1997:12
> > 80  3A 35 35 3A 32 39 20 2D-30 37 30 30 5D 20 22 FF   :55:29 -0700] ". 
> > 90  FA 25 03 72 6F 6F 74 FF-F0 68 65 6C 6C 6F 22 20   .%.root..hello" 
> > A0  34 30 30 20 2D 20 22 2D-22 20 22 2D 22 0A 90 0E   400 - "-" "-"...

This looks vaguely like the effect you might get when connecting a telnet
to port 80 - the high bit set stuff would be the telnet trying to set modes and
stuff. I'd have to check the telnet RFC to be sure, though.

Note: many telnets don't attempt to set modes'n'stuff until the far end does,
which is why to get to use them at all to connect to "raw" ports.

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author