httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Lipscy" <x4272796...@monroe.net>
Subject RE: [users@httpd] Strange log entries...
Date Fri, 04 Apr 2003 16:50:57 GMT
Slackware 8.1
Apache 1.3.27
PHP 4.3.0
No proxy

Working on running chkrootkit
CONNECT is not defind in my httpd.conf file.

-----Original Message-----
From: Jeremy D. Weiss [mailto:jdweiss@chanweiss.com] 
Sent: Friday, April 04, 2003 8:36 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Strange log entries...


At 08:25 AM 04/04/2003 -0800, you wrote:
>Encountered a few strange new log entries on my Apache 1.3.27 web 
>server.  Nothing significant popped up on google, in the docs or 
>archives about any of these.  Can someone please enlighten me about 
>these log entries and what the client is attempting to accomplish?  Is 
>this something to be concerned about?
>
>The IP is registered to CyberAngels B.V. in the Netherlands.
>
>LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
>\"%{User-Agent}i\"" combined
>
>217.21.114.155 - - [03/Apr/2003:16:14:29 -0800] "\x04\x01" 501 - "-" 
>"-" 217.21.114.155 - - [03/Apr/2003:16:14:49 -0800] "\x05\x01" 501 - 
>"-" "-" 217.21.114.155 - - [03/Apr/2003:16:14:51 -0800] "CONNECT 
>207.46.181.13:25 HTTP/1.1" 405 314 "-" "-"

I don't know about the first two (sending hex 4 hex 1? the only thing I
can 
think of is that someone is trying to test to see if your sever has
certain 
capabilities...or maybe they just want to see an error message, to know 
what server/version you're running).  The reason I react that paranoidly

(is that a word? :) is the third entry.  Basically, someone is trying to

connect to the smtp port of  smtp-gw-4.msn.com (207.46.181.13) through
your 
server.  The only reason I can think of to do such a thing would be to
send 
spam, without it being able to be traced back to the original IP...as
far 
as the smtp server is concerned, the mail would come from your IP...that

is, of course, assuming you have CONNECT enabled for Apache... that, I'm

not sure of.

==Jeremy 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message