Someone is testing your site to see if the web server software supports CONNECT tunneling. If it's not supported it will return an error, which is why a fake IP address such as 1.3.3.7 can be supplied.
------ Ben Vaughn Security Analyst Blackbird Technologies 703-796-1438 W / 703-582-4551 C [EMAIL PROTECTED] ------ -----Original Message----- From: Randy M. Nash [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 1:07 PM To: Rick Hoekman; [EMAIL PROTECTED] Subject: Re: Strange log entry Hmm... 1.3.3.7. I haven't seen it, but it's obviously haxor-speak for 'lite. Probe? Trojan? Thoughts? Randy --- Rick Hoekman <[EMAIL PROTECTED]> wrote: > Might be offtopic but anyone seen this line in > webserver logs > and knows what it is? > > 192.168.1.1 - - [16/Jun/2003:17:33:50 +0200] > "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 230 "-" "-" > > Rick > ===== Randy M. Nash @RISK Online http://www.atriskonline.com __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
