Computer Security - Apache on Windows 2K - helllabs?

11-20-2003, 11:19 PM

I was bopping along through my apache access log today and came across a
couple entries I didn't understand. I'm running an Apache server on
Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I
can think of that it would be possible to connect to. The only unusual
thing about my configuration is that I'm running Apache on 8080. I'm
including the logs so that you can see what I saw. The ranges have been
removed but nothing else has been changed.

Issue:
It shows someone has tried to:
"CONNECT 200.61.10.250:25 HTTP/1.0" 405 315
"GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
both followed by:
"\x04\x01" 501 310
Is this a spammer trying to see if I'll let him proxy to some smtp server?

Whatever it is, do I need to worry about it? It wasn't successful was it?

Thanks,
~Mike

(Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "\x04\x01" 501 310
(Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "\x04\x01" 501 310
(Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "\x04\x01" 501 310
(Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "\x04\x01" 501 310
(Unknown Range 4).222 - - [15/Nov/2003:18:04:25 -0800] "GET
http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
(Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "\x04\x01" 501 310
(Unknown Range 4).222 - - [16/Nov/2003:16:43:28 -0800] "GET
http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
(Unknown Range 5).155 - - [17/Nov/2003:12:27:30 -0800] "GET /hendricks/
HTTP/1.1" 200 701
(Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
/icons/back.gif HTTP/1.1" 200 216
(Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
/icons/blank.gif HTTP/1.1" 200 148
(Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
/icons/binary.gif HTTP/1.1" 200 246
(Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "\x04\x01" 501 310
(Unknown Range 3).220 - - [19/Nov/2003:23:46:25 -0800] "CONNECT
200.61.10.250:25 HTTP/1.0" 405 315
(Unknown Range 3).220 - - [19/Nov/2003:23:46:30 -0800] "\x04\x01" 501 310

Michael

11-27-2003, 04:57 PM

"Michael" <> wrote in message
news:97avb.55$US3.0@okepread03...
> I was bopping along through my apache access log today and came across a
> couple entries I didn't understand. I'm running an Apache server on
> Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I
> can think of that it would be possible to connect to. The only unusual
> thing about my configuration is that I'm running Apache on 8080. I'm
> including the logs so that you can see what I saw. The ranges have been
> removed but nothing else has been changed.
>
>
> Issue:
> It shows someone has tried to:
> "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315

Well, that's an attempt to relay spam, as shown by port 25. The 405
indicates that the CONNECT method is disallowed on your server, as you would
hope.

> "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302

It's somebody attempting to use your proxy to access a cgi-bin env checker
to see if your proxy would connect anonymously or forward identifying
headers. Here's what it returns for me:

---snip---
11/27/03 16:44:09 Browsing
http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080
Fetching http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 ...
GET /cgi-bin/textenv.pl?8080 HTTP/1.1
Host: www.helllabs.com.ua
Connection: close
User-Agent: Sam Spade 1.14

HTTP/1.1 200 OK
Date: Thu, 27 Nov 2003 16:44:32 GMT
Server: CoffeeMaker/1.1 (Unix)
Cache-Control: max-age=0
Expires: Thu, 27 Nov 2003 16:44:32 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=us-ascii

51
REQUEST_METHOD = GET
REMOTE_ADDR = 80.4.6.73
HTTP_X_FORWARDED_FOR = 80.4.6.73

0
---snip---
[demonstrating as it does that my ISP has a transparent inline cache/proxy
which adds a X-Forwarded-For: header to my request.] The 404 means your
proxy won't forward requests for sites it doesn't host locally, which is
also what you'd hope for.

> both followed by:
> "\x04\x01" 501 310

That's an attempt to see if there's a socks v4 proxy running. That's just
plain daft to send to a webserver.

> Is this a spammer trying to see if I'll let him proxy to some smtp server?

Yep. Maybe several of them, or some combination of spammers and people
looking to do a spot of anonymous websurfing/hacking.

> Whatever it is, do I need to worry about it? It wasn't successful was it?

Nope, from what I see you're blocking it. Is it possible your proxy was
open when you first put it up on the net, and that your IP got onto a few of
the public proxy lists somehow? If that was the case, it'll presumably drop
off in time since it's secure now. If not, it's just background noise.

DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD

11-28-2003, 10:36 AM

Dave Korn wrote:

>
> It's somebody attempting to use your proxy to access a cgi-bin env checker
> to see if your proxy would connect anonymously or forward identifying
> headers. Here's what it returns for me:

> http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080

From "Helllab's" website:

Is it legal to use someone's proxy server?

"Yes, absolutely! When some person installs proxy server software he has
an option, whether it should be public accessible server or not
(password protected). In the first case proxy server is the public one
and you can use it for your purposes. If someone (your ISP or owner of
the proxy server) tells you that you have misused proxy server, point
him out that there were no password protection, therefore you have used
public proxy and did not violate any rules."

So, I guess, by this definition, I can scan the Internet looking for
default accounts left open w/out passwords- and if I do get it, too bad,
right??

;p

--

t=Atr2-WBS=-=-=-=--Mod_SSL/GPG/OpenSSL=-=-=-=-=-=-=-=-=-=
[jayjwa] Was I helpful? https://atr2.ath.cx/affero.php
<rot13>
Znvy:
Raq glenaal: Nffnfvangr Ovyy Tngrf
Jvaqbjf vf n qvfrnfr
</rot13>
??? https://atr2.ath.cx/who-we-are.html
=-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37=

11-27-2003, 04:57 PM	#2
Dave Korn Posts: n/a	Re: Apache on Windows 2K - helllabs? "Michael" <> wrote in message news:97avb.55$US3.0@okepread03... > I was bopping along through my apache access log today and came across a > couple entries I didn't understand. I'm running an Apache server on > Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I > can think of that it would be possible to connect to. The only unusual > thing about my configuration is that I'm running Apache on 8080. I'm > including the logs so that you can see what I saw. The ranges have been > removed but nothing else has been changed. > > > Issue: > It shows someone has tried to: > "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 Well, that's an attempt to relay spam, as shown by port 25. The 405 indicates that the CONNECT method is disallowed on your server, as you would hope. > "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 It's somebody attempting to use your proxy to access a cgi-bin env checker to see if your proxy would connect anonymously or forward identifying headers. Here's what it returns for me: ---snip--- 11/27/03 16:44:09 Browsing http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 Fetching http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 ... GET /cgi-bin/textenv.pl?8080 HTTP/1.1 Host: www.helllabs.com.ua Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Thu, 27 Nov 2003 16:44:32 GMT Server: CoffeeMaker/1.1 (Unix) Cache-Control: max-age=0 Expires: Thu, 27 Nov 2003 16:44:32 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/plain; charset=us-ascii 51 REQUEST_METHOD = GET REMOTE_ADDR = 80.4.6.73 HTTP_X_FORWARDED_FOR = 80.4.6.73 0 ---snip--- [demonstrating as it does that my ISP has a transparent inline cache/proxy which adds a X-Forwarded-For: header to my request.] The 404 means your proxy won't forward requests for sites it doesn't host locally, which is also what you'd hope for. > both followed by: > "\x04\x01" 501 310 That's an attempt to see if there's a socks v4 proxy running. That's just plain daft to send to a webserver. > Is this a spammer trying to see if I'll let him proxy to some smtp server? Yep. Maybe several of them, or some combination of spammers and people looking to do a spot of anonymous websurfing/hacking. > Whatever it is, do I need to worry about it? It wasn't successful was it? Nope, from what I see you're blocking it. Is it possible your proxy was open when you first put it up on the net, and that your IP got onto a few of the public proxy lists somehow? If that was the case, it'll presumably drop off in time since it's secure now. If not, it's just background noise. DaveK -- moderator of alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow Burn your ID card! http://www.optional-identity.org.uk/ Help support the campaign, copy this into your .sig! Proud Member of the Exclusive "I have been plonked by Davee because he thinks I'm interesting" List Member #<insert number here> Master of Many Meowing Minions Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above and beyond the call of hilarity. PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

11-20-2003, 11:19 PM	#1
	Apache on Windows 2K - helllabs? I was bopping along through my apache access log today and came across a couple entries I didn't understand. I'm running an Apache server on Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I can think of that it would be possible to connect to. The only unusual thing about my configuration is that I'm running Apache on 8080. I'm including the logs so that you can see what I saw. The ranges have been removed but nothing else has been changed. Issue: It shows someone has tried to: "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 both followed by: "\x04\x01" 501 310 Is this a spammer trying to see if I'll let him proxy to some smtp server? Whatever it is, do I need to worry about it? It wasn't successful was it? Thanks, ~Mike (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "\x04\x01" 501 310 (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "\x04\x01" 501 310 (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "\x04\x01" 501 310 (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "\x04\x01" 501 310 (Unknown Range 4).222 - - [15/Nov/2003:18:04:25 -0800] "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "\x04\x01" 501 310 (Unknown Range 4).222 - - [16/Nov/2003:16:43:28 -0800] "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 (Unknown Range 5).155 - - [17/Nov/2003:12:27:30 -0800] "GET /hendricks/ HTTP/1.1" 200 701 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/back.gif HTTP/1.1" 200 216 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/blank.gif HTTP/1.1" 200 148 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/binary.gif HTTP/1.1" 200 246 (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "\x04\x01" 501 310 (Unknown Range 3).220 - - [19/Nov/2003:23:46:25 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).220 - - [19/Nov/2003:23:46:30 -0800] "\x04\x01" 501 310 Michael

11-28-2003, 10:36 AM	#3
@micro$oft.com Posts: n/a	Re: Apache on Windows 2K - helllabs? Dave Korn wrote: > > It's somebody attempting to use your proxy to access a cgi-bin env checker > to see if your proxy would connect anonymously or forward identifying > headers. Here's what it returns for me: > http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 From "Helllab's" website: Is it legal to use someone's proxy server? "Yes, absolutely! When some person installs proxy server software he has an option, whether it should be public accessible server or not (password protected). In the first case proxy server is the public one and you can use it for your purposes. If someone (your ISP or owner of the proxy server) tells you that you have misused proxy server, point him out that there were no password protection, therefore you have used public proxy and did not violate any rules." So, I guess, by this definition, I can scan the Internet looking for default accounts left open w/out passwords- and if I do get it, too bad, right?? ;p -- t=Atr2-WBS=-=-=-=--Mod_SSL/GPG/OpenSSL=-=-=-=-=-=-=-=-=-= [jayjwa] Was I helpful? https://atr2.ath.cx/affero.php <rot13> Znvy: Raq glenaal: Nffnfvangr Ovyy Tngrf Jvaqbjf vf n qvfrnfr </rot13> ??? https://atr2.ath.cx/who-we-are.html =-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37=