Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange CONNECT entries in apache logs

From: "John Lampe" <j_lampe () bellsouth net>
Date: Tue, 10 Jun 2003 16:25:43 -0700
Also interesting to note that my ISP (COMCAST) seems to be scanning some of
their ranges for this same (old) bug.  They are either proactive or a bit on
the invasive side...

24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
HTTP/1.0" 405 304
24.30.199.228 - - [10/Jun/2003:14:33:23 -0400] "CONNECT security.rr.com:25
HTTP/1.0" 405 310

John W. Lampe
https://f00dikator.aceryder.com/

----- Original Message -----
From: "Stefan Allemann" <sal () team inter net>
To: "Rajkumar S" <listuser () myrealbox com>; <incidents () securityfocus com>
Sent: Monday, June 09, 2003 9:55 AM
Subject: AW: Strange CONNECT entries in apache logs


I find some of this requests in my logs too;
on different servers. I think you should have a
look at http://www.kb.cert.org/vuls/id/150227
for a discribtion on this.

My apache server answers with 400 or 405 on this
requests. Your server seems to accept this requests
(302, 200)!

Stefan
Inter.net Switzerland



-----Ursprüngliche Nachricht-----
Von: Rajkumar S [mailto:listuser () myrealbox com]
Gesendet: Freitag, 6. Juni 2003 18:35
An: incidents () securityfocus com
Betreff: Strange CONNECT entries in apache logs


Hi,

While going through my apache logs, I found some logs
indicating CONNECT
requests to port 25 of other hosts.

213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
HTTP/1.1" 302 5 "-" "-"
130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
HTTP/1.0" 200 14409 "-" "-"
130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
HTTP/1.0" 200 17757 "-" "-"

I found this in 2 machines in indian ip block. My another
server at US
is not affected by this. Some one else seeing this? Could this be the
next wave of spam ??

raj



----------------------------------------------------------------------------
----------------------------------------------------------------------------


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.488 / Virus Database: 287 - Release Date: 6/5/2003



----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: