[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Strange entry in Apache log



Keith Roberts wrote:
>Hi everyone.
>
>Can anyone tell what the following apache logs are?
>
>The last line looks like they managed to connect to port 25.
>
>Or did someone get my machine to connect to another servers
>port 25?
>
>220.163.27.187 - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-"
>220.163.27.187 - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-"

Raw SOCKS connection attempt?
Check error log for "illegal request type" (iirc)

>220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"

Looks like they can use your server to proxy SMTP traffic.
But note: error code may be wrong. I remember there was something
about a buggy module giving wrong error codes, please try google
on that. this should to the trick:
gg: apache "\x04\x01" CONNECT

	Lars Ellenberg

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here