Strange entry in Apache log
Hi everyone. Can anyone tell what the following apache logs are? The last line looks like they managed to connect to port 25. Or did someone get my machine to connect to another servers port 25? 220.163.27.187 - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-" 220.163.27.187 - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-" 220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-" I have just been to grc.com, and my SMTP port is stealthed. Here is a listing of netstat keith@myserver:~> netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:www-http *:* LISTEN tcp 0 0 *:afs3-fileserver *:* LISTEN tcp 0 0 localhost:smtp *:* LISTEN Anyone have any ideas? Kind Regards - Keith Roberts
I'm no expert on this so take my comments with a pound of salt. It looks to me like they tried to use your server to issue an smtp connect with the earthlink mail server, perhaps to send some spam and cover their tracks? I grep'ed through my webservers logs for "CONNECT" and came up empty, looks a little fishy to me. Keith Roberts wrote:
Hi everyone.
Can anyone tell what the following apache logs are?
The last line looks like they managed to connect to port 25.
Or did someone get my machine to connect to another servers port 25?
220.163.27.187 - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-"
220.163.27.187 - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-"
220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"
I have just been to grc.com, and my SMTP port is stealthed.
Here is a listing of netstat
keith@myserver:~> netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:www-http *:* LISTEN tcp 0 0 *:afs3-fileserver *:* LISTEN tcp 0 0 localhost:smtp *:* LISTEN
Anyone have any ideas?
Kind Regards - Keith Roberts
Hi, On Friday 27 February 2004 18:29, Keith Roberts wrote:
Or did someone get my machine to connect to another servers port 25? They tried to.
220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"
I have just been to grc.com, and my SMTP port is stealthed.
This has nothing to do with your smtp port They scanned for open proxies and tried if your apache would allow to proxy. The trick is that even smtp connections can be proxied over a web proxy. Just make sure this is not possible with your apache so check error_log for confirmation this failed. If not. get that apache off-line and remove proxy on directive asap! BB, Arjen
Keith Roberts wrote:
Hi everyone.
Can anyone tell what the following apache logs are?
The last line looks like they managed to connect to port 25.
Or did someone get my machine to connect to another servers port 25?
220.163.27.187 - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-" 220.163.27.187 - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-"
Raw SOCKS connection attempt? Check error log for "illegal request type" (iirc)
220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"
Looks like they can use your server to proxy SMTP traffic. But note: error code may be wrong. I remember there was something about a buggy module giving wrong error codes, please try google on that. this should to the trick: gg: apache "\x04\x01" CONNECT Lars Ellenberg
ok, I found this in my personal archive, and the link is even still vaild: Bug #19113 HTTP status 200 returned on HTTP CONNECT when mod_proxy not in use http://bugs.php.net/bug.php?id=19113 Lars Ellenberg
participants (4)
-
Arjen Runsink -
Joel Luth -
Keith Roberts -
Lars Ellenberg