|
|
|
|
|
|||||||
 |
Computer Security - Apache on Windows 2K - helllabs? |
|
|
Thread Tools | Search this Thread |
11-20-2003, 11:19 PM
|
#1 |
Apache on Windows 2K - helllabs?
I was bopping along through my apache access log today and came across a
couple entries I didn't understand. I'm running an Apache server on Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I can think of that it would be possible to connect to. The only unusual thing about my configuration is that I'm running Apache on 8080. I'm including the logs so that you can see what I saw. The ranges have been removed but nothing else has been changed. Issue: It shows someone has tried to: "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 both followed by: "\x04\x01" 501 310 Is this a spammer trying to see if I'll let him proxy to some smtp server? Whatever it is, do I need to worry about it? It wasn't successful was it? Thanks, ~Mike (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "\x04\x01" 501 310 (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "\x04\x01" 501 310 (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "\x04\x01" 501 310 (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "\x04\x01" 501 310 (Unknown Range 4).222 - - [15/Nov/2003:18:04:25 -0800] "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "\x04\x01" 501 310 (Unknown Range 4).222 - - [16/Nov/2003:16:43:28 -0800] "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 (Unknown Range 5).155 - - [17/Nov/2003:12:27:30 -0800] "GET /hendricks/ HTTP/1.1" 200 701 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/back.gif HTTP/1.1" 200 216 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/blank.gif HTTP/1.1" 200 148 (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET /icons/binary.gif HTTP/1.1" 200 246 (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "\x04\x01" 501 310 (Unknown Range 3).220 - - [19/Nov/2003:23:46:25 -0800] "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 (Unknown Range 3).220 - - [19/Nov/2003:23:46:30 -0800] "\x04\x01" 501 310 Michael |
|
|
|
11-27-2003, 04:57 PM
|
#2 |
|
Posts: n/a
|
Re: Apache on Windows 2K - helllabs?
"Michael" <> wrote in message
news:97avb.55$US3.0@okepread03... > I was bopping along through my apache access log today and came across a > couple entries I didn't understand. I'm running an Apache server on > Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I > can think of that it would be possible to connect to. The only unusual > thing about my configuration is that I'm running Apache on 8080. I'm > including the logs so that you can see what I saw. The ranges have been > removed but nothing else has been changed. > > > Issue: > It shows someone has tried to: > "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315 Well, that's an attempt to relay spam, as shown by port 25. The 405 indicates that the CONNECT method is disallowed on your server, as you would hope. > "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302 It's somebody attempting to use your proxy to access a cgi-bin env checker to see if your proxy would connect anonymously or forward identifying headers. Here's what it returns for me: ---snip--- 11/27/03 16:44:09 Browsing http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 Fetching http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 ... GET /cgi-bin/textenv.pl?8080 HTTP/1.1 Host: www.helllabs.com.ua Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Thu, 27 Nov 2003 16:44:32 GMT Server: CoffeeMaker/1.1 (Unix) Cache-Control: max-age=0 Expires: Thu, 27 Nov 2003 16:44:32 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/plain; charset=us-ascii 51 REQUEST_METHOD = GET REMOTE_ADDR = 80.4.6.73 HTTP_X_FORWARDED_FOR = 80.4.6.73 0 ---snip--- [demonstrating as it does that my ISP has a transparent inline cache/proxy which adds a X-Forwarded-For: header to my request.] The 404 means your proxy won't forward requests for sites it doesn't host locally, which is also what you'd hope for. > both followed by: > "\x04\x01" 501 310 That's an attempt to see if there's a socks v4 proxy running. That's just plain daft to send to a webserver. > Is this a spammer trying to see if I'll let him proxy to some smtp server? Yep. Maybe several of them, or some combination of spammers and people looking to do a spot of anonymous websurfing/hacking. > Whatever it is, do I need to worry about it? It wasn't successful was it? Nope, from what I see you're blocking it. Is it possible your proxy was open when you first put it up on the net, and that your IP got onto a few of the public proxy lists somehow? If that was the case, it'll presumably drop off in time since it's secure now. If not, it's just background noise. DaveK -- moderator of alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow Burn your ID card! http://www.optional-identity.org.uk/ Help support the campaign, copy this into your .sig! Proud Member of the Exclusive "I have been plonked by Davee because he thinks I'm interesting" List Member #<insert number here> Master of Many Meowing Minions Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above and beyond the call of hilarity. PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD Dave Korn |
|
|
|
11-28-2003, 10:36 AM
|
#3 |
|
Posts: n/a
|
Re: Apache on Windows 2K - helllabs?
Dave Korn wrote:
> > It's somebody attempting to use your proxy to access a cgi-bin env checker > to see if your proxy would connect anonymously or forward identifying > headers. Here's what it returns for me: > http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 From "Helllab's" website: Is it legal to use someone's proxy server? "Yes, absolutely! When some person installs proxy server software he has an option, whether it should be public accessible server or not (password protected). In the first case proxy server is the public one and you can use it for your purposes. If someone (your ISP or owner of the proxy server) tells you that you have misused proxy server, point him out that there were no password protection, therefore you have used public proxy and did not violate any rules." So, I guess, by this definition, I can scan the Internet looking for default accounts left open w/out passwords- and if I do get it, too bad, right?? ;p -- t=Atr2-WBS=-=-=-=--Mod_SSL/GPG/OpenSSL=-=-=-=-=-=-=-=-=-= [jayjwa] Was I helpful? https://atr2.ath.cx/affero.php <rot13> Znvy: Raq glenaal: Nffnfvangr Ovyy Tngrf Jvaqbjf vf n qvfrnfr </rot13> ??? https://atr2.ath.cx/who-we-are.html =-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37= @micro$oft.com |
|
|
|
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to Reset / Recover Forgotten Windows NT / 2000 / XP / 2003 Administrator Password | wskaihd | Software | 2 | 11-17-2009 02:01 AM |
| How to activate Remote Assistance with XP using Windows Live Messenger | Oziisr | General Help Related Topics | 0 | 02-01-2008 04:45 PM |
| Computer Security | aldrich.chappel.com.use@gmail.com | A+ Certification | 0 | 11-27-2007 02:11 AM |
| MCITP: Enterprise Support Technician | MileHighWelch | MCITP | 1 | 06-19-2007 10:25 PM |
| Re: Question about MS critical updates | John Coode | A+ Certification | 0 | 06-30-2004 06:08 PM |
