Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 98114 invoked by uid 500); 4 Apr 2003 16:48:43 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 98100 invoked from network); 4 Apr 2003 16:48:42 -0000 Received: from unknown (HELO ns1.monroe.net) (63.117.144.10) by daedalus.apache.org with SMTP; 4 Apr 2003 16:48:42 -0000 Received: from mx2.monroe.net (mx2.monroe.net [63.117.144.21]) by ns1.monroe.net (8.9.3/8.9.3) with ESMTP id IAA13869 for ; Fri, 4 Apr 2003 08:40:23 -0800 Received: from ukiuki (lipscy.net [63.117.153.108]) by mx2.monroe.net (8.11.6/8.11.2) with ESMTP id h34Kfkb03818 for ; Fri, 4 Apr 2003 12:41:46 -0800 From: "Bryan Lipscy" To: Date: Fri, 4 Apr 2003 08:50:57 -0800 Organization: The Lipscy Family Message-ID: <002401c2faca$608c9940$6301a8c0@ukiuki> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3311 In-Reply-To: <5.2.0.9.0.20030404113151.00b06c58@unix.chanweiss.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] Strange log entries... Slackware 8.1 Apache 1.3.27 PHP 4.3.0 No proxy Working on running chkrootkit CONNECT is not defind in my httpd.conf file. -----Original Message----- From: Jeremy D. Weiss [mailto:jdweiss@chanweiss.com] Sent: Friday, April 04, 2003 8:36 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Strange log entries... At 08:25 AM 04/04/2003 -0800, you wrote: >Encountered a few strange new log entries on my Apache 1.3.27 web >server. Nothing significant popped up on google, in the docs or >archives about any of these. Can someone please enlighten me about >these log entries and what the client is attempting to accomplish? Is >this something to be concerned about? > >The IP is registered to CyberAngels B.V. in the Netherlands. > >LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" >\"%{User-Agent}i\"" combined > >217.21.114.155 - - [03/Apr/2003:16:14:29 -0800] "\x04\x01" 501 - "-" >"-" 217.21.114.155 - - [03/Apr/2003:16:14:49 -0800] "\x05\x01" 501 - >"-" "-" 217.21.114.155 - - [03/Apr/2003:16:14:51 -0800] "CONNECT >207.46.181.13:25 HTTP/1.1" 405 314 "-" "-" I don't know about the first two (sending hex 4 hex 1? the only thing I can think of is that someone is trying to test to see if your sever has certain capabilities...or maybe they just want to see an error message, to know what server/version you're running). The reason I react that paranoidly (is that a word? :) is the third entry. Basically, someone is trying to connect to the smtp port of smtp-gw-4.msn.com (207.46.181.13) through your server. The only reason I can think of to do such a thing would be to send spam, without it being able to be traced back to the original IP...as far as the smtp server is concerned, the mail would come from your IP...that is, of course, assuming you have CONNECT enabled for Apache... that, I'm not sure of. ==Jeremy --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org