Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 98504 invoked by uid 500); 3 Nov 2002 21:31:44 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 98493 invoked from network); 3 Nov 2002 21:31:44 -0000 Received: from mail01d.rapidsite.net (207.158.192.52) by daedalus.apache.org with SMTP; 3 Nov 2002 21:31:44 -0000 Received: from www.theywill.com (207.201.159.234) by mail01d.rapidsite.net (RS ver 1.0.63s) with SMTP id 099709 for ; Sun, 3 Nov 2002 16:31:44 -0500 (EST) From: "James - TheyWill.com, Inc." To: Date: Sun, 3 Nov 2002 16:41:32 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <003a01c28362$d0962650$0200a8c0@FamHolthaus> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Loop-Detect: 1 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] Strange, Disconcerting Access Log Entries > This specification reserves the method name CONNECT > for use with a proxy that can dynamically switch to being a tunnel > (e.g. SSL tunneling [44]). > > My guess is, that somebody is abusing your Apache > server to forward/tunnel connections to a SMTP-server. My guess was that they were using Apache as some kind of proxy to find open SMTP ports, but I had never heard of such a weakness/technique. > This is probably to send SPAM. Just for everyone's comfort, I did block the connecting IP block from Apache and other server services. > If you have been hacked or not is a good question. All of the content on the site is intact and as expected. The server load is not high at all, and there doesn't appear to be anything "extra" running. Further, again, the server messages log indicates that everything is quiet. I've also had Verio technicians, the VPS vendor, take a look and although they didn't seem to know what's up with the log entries, I was assured that nothing was hacked. > But since you son't seem to really know what CONNECT > is/means, it could also be that your server is not > properly configured. You are so right. If you don't know everything there is to know about Apache, your server could be misconfigured. > Keep us informed! Never seen such a case/report, but > also never figured that a spammer could abuse Apache > like this. I guess I'm not alone. I appreciate the assistance. Sincerely, James, james@theywill.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org