Apache on Windows 2K - helllabs?

Discussion in 'Computer Security' started by Michael, Nov 20, 2003.

  1. Michael

    Michael Guest

    I was bopping along through my apache access log today and came across a
    couple entries I didn't understand. I'm running an Apache server on
    Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I
    can think of that it would be possible to connect to. The only unusual
    thing about my configuration is that I'm running Apache on 8080. I'm
    including the logs so that you can see what I saw. The ranges have been
    removed but nothing else has been changed.


    Issue:
    It shows someone has tried to:
    "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315
    "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
    both followed by:
    "\x04\x01" 501 310
    Is this a spammer trying to see if I'll let him proxy to some smtp server?

    Whatever it is, do I need to worry about it? It wasn't successful was it?


    Thanks,
    ~Mike


    (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 1).180 - - [10/Nov/2003:23:37:54 -0800] "\x04\x01" 501 310
    (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 2).131 - - [13/Nov/2003:05:51:23 -0800] "\x04\x01" 501 310
    (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 3).219 - - [14/Nov/2003:03:51:25 -0800] "\x04\x01" 501 310
    (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 3).78 - - [15/Nov/2003:01:50:20 -0800] "\x04\x01" 501 310
    (Unknown Range 4).222 - - [15/Nov/2003:18:04:25 -0800] "GET
    http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
    (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 1).125 - - [16/Nov/2003:01:07:49 -0800] "\x04\x01" 501 310
    (Unknown Range 4).222 - - [16/Nov/2003:16:43:28 -0800] "GET
    http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302
    (Unknown Range 5).155 - - [17/Nov/2003:12:27:30 -0800] "GET /hendricks/
    HTTP/1.1" 200 701
    (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
    /icons/back.gif HTTP/1.1" 200 216
    (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
    /icons/blank.gif HTTP/1.1" 200 148
    (Unknown Range 5).155 - - [17/Nov/2003:12:27:31 -0800] "GET
    /icons/binary.gif HTTP/1.1" 200 246
    (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 1).103 - - [18/Nov/2003:06:08:55 -0800] "\x04\x01" 501 310
    (Unknown Range 3).220 - - [19/Nov/2003:23:46:25 -0800] "CONNECT
    200.61.10.250:25 HTTP/1.0" 405 315
    (Unknown Range 3).220 - - [19/Nov/2003:23:46:30 -0800] "\x04\x01" 501 310
     
    Michael, Nov 20, 2003
    #1
    1. Advertising

  2. Michael

    Dave Korn Guest

    "Michael" <> wrote in message
    news:97avb.55$US3.0@okepread03...
    > I was bopping along through my apache access log today and came across a
    > couple entries I didn't understand. I'm running an Apache server on
    > Windows 2000, cygwin ssh, typesoft ftp (sometimes) and nothing else I
    > can think of that it would be possible to connect to. The only unusual
    > thing about my configuration is that I'm running Apache on 8080. I'm
    > including the logs so that you can see what I saw. The ranges have been
    > removed but nothing else has been changed.
    >
    >
    > Issue:
    > It shows someone has tried to:
    > "CONNECT 200.61.10.250:25 HTTP/1.0" 405 315


    Well, that's an attempt to relay spam, as shown by port 25. The 405
    indicates that the CONNECT method is disallowed on your server, as you would
    hope.

    > "GET http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 HTTP/1.0" 404 302


    It's somebody attempting to use your proxy to access a cgi-bin env checker
    to see if your proxy would connect anonymously or forward identifying
    headers. Here's what it returns for me:

    ---snip---
    11/27/03 16:44:09 Browsing
    http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080
    Fetching http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080 ...
    GET /cgi-bin/textenv.pl?8080 HTTP/1.1
    Host: www.helllabs.com.ua
    Connection: close
    User-Agent: Sam Spade 1.14

    HTTP/1.1 200 OK
    Date: Thu, 27 Nov 2003 16:44:32 GMT
    Server: CoffeeMaker/1.1 (Unix)
    Cache-Control: max-age=0
    Expires: Thu, 27 Nov 2003 16:44:32 GMT
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/plain; charset=us-ascii

    51
    REQUEST_METHOD = GET
    REMOTE_ADDR = 80.4.6.73
    HTTP_X_FORWARDED_FOR = 80.4.6.73

    0
    ---snip---
    [demonstrating as it does that my ISP has a transparent inline cache/proxy
    which adds a X-Forwarded-For: header to my request.] The 404 means your
    proxy won't forward requests for sites it doesn't host locally, which is
    also what you'd hope for.

    > both followed by:
    > "\x04\x01" 501 310


    That's an attempt to see if there's a socks v4 proxy running. That's just
    plain daft to send to a webserver.

    > Is this a spammer trying to see if I'll let him proxy to some smtp server?


    Yep. Maybe several of them, or some combination of spammers and people
    looking to do a spot of anonymous websurfing/hacking.

    > Whatever it is, do I need to worry about it? It wasn't successful was it?


    Nope, from what I see you're blocking it. Is it possible your proxy was
    open when you first put it up on the net, and that your IP got onto a few of
    the public proxy lists somehow? If that was the case, it'll presumably drop
    off in time since it's secure now. If not, it's just background noise.

    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Nov 27, 2003
    #2
    1. Advertising

  3. Dave Korn wrote:

    >
    > It's somebody attempting to use your proxy to access a cgi-bin env checker
    > to see if your proxy would connect anonymously or forward identifying
    > headers. Here's what it returns for me:


    > http://www.helllabs.com.ua/cgi-bin/textenv.pl?8080


    From "Helllab's" website:

    Is it legal to use someone's proxy server?

    "Yes, absolutely! When some person installs proxy server software he has
    an option, whether it should be public accessible server or not
    (password protected). In the first case proxy server is the public one
    and you can use it for your purposes. If someone (your ISP or owner of
    the proxy server) tells you that you have misused proxy server, point
    him out that there were no password protection, therefore you have used
    public proxy and did not violate any rules."


    So, I guess, by this definition, I can scan the Internet looking for
    default accounts left open w/out passwords- and if I do get it, too bad,
    right??

    ;p




    --

    t=Atr2-WBS=-=-=-=--Mod_SSL/GPG/OpenSSL=-=-=-=-=-=-=-=-=-=
    [jayjwa] Was I helpful? https://atr2.ath.cx/affero.php
    <rot13>
    Znvy:
    Raq glenaal: Nffnfvangr Ovyy Tngrf
    Jvaqbjf vf n qvfrnfr
    </rot13>
    ??? https://atr2.ath.cx/who-we-are.html
    =-=-=Linux Tough.Powered By Slackware=-=HTTPS/FTP=-RLF#37=
     
    @micro$oft.com, Nov 28, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Beginners Guides: Website Hosting With Apache

    Silverstrand, Oct 24, 2005, in forum: Front Page News
    Replies:
    0
    Views:
    797
    Silverstrand
    Oct 24, 2005
  2. tejlor
    Replies:
    0
    Views:
    1,344
    tejlor
    Jan 16, 2004
  3. jda^fx

    mcafee/apache conflict

    jda^fx, Jul 18, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    1,643
    ┬░Mike┬░
    Jul 18, 2003
  4. SunYau

    Help in Install Apache 2.0!!

    SunYau, Dec 29, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    387
  5. alain

    configuration apache 1.3.29

    alain, Feb 17, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    553
    TehGhodTrole
    Feb 17, 2004
Loading...

Share This Page