httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Krueger <benja...@seattlefenix.net>
Subject Re: [users@httpd] Strange log entries...
Date Fri, 04 Apr 2003 16:45:36 GMT
* Jeremy D. Weiss (jdweiss@chanweiss.com) [030404 08:31]:
> At 08:25 AM 04/04/2003 -0800, you wrote:
> >Encountered a few strange new log entries on my Apache 1.3.27 web
> >server.  Nothing significant popped up on google, in the docs or
> >archives about any of these.  Can someone please enlighten me about
> >these log entries and what the client is attempting to accomplish?  Is
> >this something to be concerned about?
> >
> >The IP is registered to CyberAngels B.V. in the Netherlands.
> >
> >LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
> >combined
> >
> >217.21.114.155 - - [03/Apr/2003:16:14:29 -0800] "\x04\x01" 501 - "-" "-"
> >217.21.114.155 - - [03/Apr/2003:16:14:49 -0800] "\x05\x01" 501 - "-" "-"
> >217.21.114.155 - - [03/Apr/2003:16:14:51 -0800] "CONNECT
> >207.46.181.13:25 HTTP/1.1" 405 314 "-" "-"
> 
> I don't know about the first two (sending hex 4 hex 1? the only thing I can 
> think of is that someone is trying to test to see if your sever has certain 
> capabilities...or maybe they just want to see an error message, to know 
> what server/version you're running).  The reason I react that paranoidly 
> (is that a word? :) is the third entry.  Basically, someone is trying to 
> connect to the smtp port of  smtp-gw-4.msn.com (207.46.181.13) through your 
> server.  The only reason I can think of to do such a thing would be to send 
> spam, without it being able to be traced back to the original IP...as far 
> as the smtp server is concerned, the mail would come from your IP...that 
> is, of course, assuming you have CONNECT enabled for Apache... that, I'm 
> not sure of.
> 
> ==Jeremy 

The log indicates that the server returned Error 405, Method Not Allowed. His
server doesn't allow that IP to use CONNECT.

CyberAngels B.V. is an ISP in .nl with poor reverse dns practices. I'd report
the incident to their abuse department.

-- 
Benjamin Krueger

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message