> -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:full-disclosure- > [EMAIL PROTECTED] Im Auftrag von Mark > Gesendet: Mittwoch, 4. Juni 2003 18:31 > An: Lan Guy > Cc: Scott M. Algatt; [EMAIL PROTECTED] > > > > The exert from my log files which had the same (but cant say it caused > me any concern) > > dhpp.csudh.edu - - [01/Jun/2003:21:27:08 +0100] "CONNECT 1.3.3.7:1337 > HTTP/1.0" 405 303 "-" "-"
Since long time I see something like this in my apache log files. The connect command means that anyone tries to use you http server for http tunnelling. But so long the access.log shows any error code like 405, 404, 400 or 407, so it is running fine. But in case that there is Status Code of 200, so you have to check you configuration. Here is a short collection of some strange log file entries. 80.181.x.x - - [03/Jun/2003:19:15:17 +0200] "GET /mod_ssl:error:HTTP-request HTTP/1.0" 400 520 195.214.x.x - - [15/May/2003:07:08:25 +0200] "-" 408 - 212.141.x.x - - [17/May/2003:12:43:03 +0200] "OPTIONS * HTTP/1.0" 403 268 193.127.x.x - - [19/May/2003:02:14:27 +0200] "HEAD / HTTP/1.1" 400 0 200.203.x.x - - [21/May/2003:11:07:44 +0200] "CONNECT cratosthenes.zen.co.uk:25 HTTP/1.0" 403 277 212.66.x.x - - [25/May/2003:04:15:25 +0200] "SEARCH / HTTP/1.1" 403 269 216.25.x.x - - [01/Jun/2003:09:29:03 +0200] "PROPFIND / HTTP/1.0" 403 268 217.45.x.x - - [01/Jun/2003:23:04:15 +0200] "GET /NULL.printer" 404 - Regards, Michael intract - any business anywhere Michael Linke Netzwerkadministrator Heilbronnerstr. 50 D-73728 Esslingen Germany Phone : +49 384 16297 50 Fax : +49 711 35152 89 mobile : +49 178 51 52 959 e-mail : [EMAIL PROTECTED] ICQ : 141033973 webside: http://www.intract.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
