[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Strange entry in Apache log

Keith Roberts wrote:
>Hi everyone.
>Can anyone tell what the following apache logs are?
>The last line looks like they managed to connect to port 25.
>Or did someone get my machine to connect to another servers
>port 25?
> - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-"
> - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-"

Raw SOCKS connection attempt?
Check error log for "illegal request type" (iirc)

> - - [27/Feb/2004:16:01:51 +0000] "CONNECT HTTP/1.1" 200 5664 "-" "-"

Looks like they can use your server to proxy SMTP traffic.
But note: error code may be wrong. I remember there was something
about a buggy module giving wrong error codes, please try google
on that. this should to the trick:
gg: apache "\x04\x01" CONNECT

	Lars Ellenberg

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here