Security Incidents mailing list archives
Re: Weird log entries...
From: "Kelly Martin" <kmartin () pyrzqxgl org>
Date: Thu, 28 Mar 2002 07:47:07 -0600
These are attempts to connect to IRC servers via HTTP-based proxy. It could be people trying to hijack your proxy server (if you had one), but it could also be an IRC server you are connecting to proxy-scanning you. Many IRC servers now scan incoming clients for unsafe proxy servers and K-line those that test positive. Kelly ----- Original Message ----- From: "Josh Diakun" <joshd () superaje com> To: "Incidents" <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, March 28, 2002 4:06 AM Subject: Weird log entries...
Hello All, I was just shifting through my apache access log file and found some weird entries that caught my attention. After a quick search on the security
focus
mailing list archives I was unable to come up with anything...so maybe
someone
out there could be of some help to explain to me what bug these users are trying to exploit. Here's the log entries: 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT
151.189.12.20:6669
HTTP/1.0" 401 469 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT
198.186.203.27:6667
HTTP/1.0" 401 469 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT
151.189.12.20:6669
HTTP/1.0" 401 469 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT
151.189.12.20:6669
HTTP/1.0" 401 469 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT
193.109.122.7:2048/
HTTP/1.1" 400 344 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT 151.189.12.20:6669 HTTP/1.0" 401 469 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT
198.186.203.27:6667
HTTP/1.0" 401 469 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT 151.189.12.20:6669 HTTP/1.0" 401 469 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT 151.189.12.20:6669 HTTP/1.0" 401 469 And then of course there were many, many other entries of the same sort.
I
understand the basics of what they are trying to accomplish (connecting to
an
outside source through my machine...in most of these cases, and IRC server)...but Ive never really seen this bug, except for the multiple hits over the last two/three weeks. If someone could care to elaborate, that
would
be greatly appreciated. Thanks in advance. Sincerely, Josh Diakun ACPO Development Team Member http://www.antichildporn.org http://www.joshd.ca --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird log entries... Josh Diakun (Mar 28)
- Re: Weird log entries... Kelly Martin (Mar 28)
- Re: Weird log entries... Florian Weimer (Mar 29)
- RE: Weird log entries... John Hartley (Mar 29)
- <Possible follow-ups>
- Re: Weird log entries... zeno (Mar 28)
- RE: Weird log entries... Cushing, David (Mar 29)
- RE: Weird log entries... Michael Ward (Mar 29)