httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From andre.powroz...@belgacom.be
Subject RE: access & error logs -- attempted crack?
Date Tue, 16 Jul 2002 07:21:12 GMT
I think this comes from somebody who wants to connect to Lania D'Agostino Studios (Mannequin
Service Company) through your computer - anonymously.

The connect method starts a communication between a client and a server during which both
the client and the server may communicate at any time. For example, a proxy should simply
connect to the destination and let the client and the server tell what they want (from my
personal, but not rigorous experience).

Greetings,

André POWROZNIK

-----Original Message-----
From: Robert Andersson [mailto:robert@profundis.nu]
Sent: 15 July 2002 08:12
To: users@httpd.apache.org
Subject: Re: access & error logs -- attempted crack?


Sorry for not replying soner. The 6667 stuff do really puzzle me, and I
doubt I will be able to give you any answer.
What we see is, that something (on 207.114.6.10) connected to yourip:80 and
sent Apache a request like:
"CONNECT 207.114.6.11:6667 HTTP/1.0"

where you would normally see something like:
"GET /folder/file.html HTTP/1.1"

Apache naturally respondes with a 405 - Method Not Allowed, where the method
would be "CONNECT". I have really no idea why anyone would be doing this,
but I'm somewhat sure it has nothing to do with the other (CodeRed) log
lines. I don't think there is a CONNECT method in the HTTP standard; I'm not
certain but almost. I should go look it up, but too lazy right now ;-).
Anyway, I don't think you need to worry about that one either.

Regards,
Robert Andersson


----- Original Message -----
From: "Gary Turner" <kk5st@swbell.net>
To: <users@httpd.apache.org>; "Robert Andersson" <robert@profundis.nu>
Sent: Thursday, July 11, 2002 9:35 PM
Subject: Re: access & error logs -- attempted crack?


> On Thu, 11 Jul 2002 10:44:43 +0200, Robert Andersson wrote:
>
> >Looks like CodeRed or similar clone, which try to exploit a buffer
overflow
> >in MS IIS. It´'s now known that Apache (<1.3.26 && <2.0.39) has a
similar
> >bug, but I don't know how such an attack would look like. But these log
> >entries are certainly intended for IIS.
>
> Thanks to both Robert and Stephen for timely, helpful answers.  I knew
> there was a reason to run Linux :)
>
> On the other access.log entry,
>
> 207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 207.114.6.11:6667
> HTTP/1.0" 405 307 "-" "-"
>
> can anyone explain this?  IRC port?
> --
> gt
> It ain't so much what you don't know that gets you in trouble---
> it's what you do know that ain't so.--unk
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

**** DISCLAIMER **** 
"This e-mail and any attachments thereto may contain information 
which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, 
total or partial reproduction, communication or distribution in any form) 
by persons other than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either 
by telephone or by e-mail and delete the material from any computer. 
Thank you for your cooperation."


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message