[Gllug] Have I been compromised??

John Edwards John.Edwards at cornerstonelinux.co.uk
Mon Sep 2 20:19:24 UTC 2002


On Mon, Sep 02, 2002 at 08:41:26PM +0100, omphe wrote:
> Tom Gilbert wrote:
> 
> > Couple of things there, for one, why not show us the log entries you're
> > worried about? I'm sceptical myself, because for you to have people
> > connecting to your webserver on port 6667, you'd have to have
> > specifically configured it to listen on 6667 yourself.
> 
> I think I hit the panic button early.  I've been immersing myself in the
> security manuals, etc.  trying to just get my bearings. Nevertheless, this is
> proving very educational, so...
> 
> Here's an excerpt from my Apache access.log.  There are about five instances of
> this.  The 404/405's means these were denied, no?
> 
> 62.95.52.25 - - [20/May/2002:00:06:21 +0100] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 205
> 64.8.33.172 - - [06/Jun/2002:21:47:07 +0100] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 66.140.25.157 - - [23/Jul/2002:23:25:54 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231
> 66.140.25.157 - - [23/Jul/2002:23:41:18 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231
> 
> So, now I'll harden, remove services, and read, read, read, read, .....
> Aaaaaaaarrgh!!! I can't learn fast enough!!
> 
> Branden Faulls

Code 405 means that your Apache server does not handle the "CONNECT" 
request method. So someone is sending HTTP requests to your web server 
to try and make it connect to another system. This might be usuable if 
Apache was setup to use TCP session proxy but is ignored by your server.

Have a search on the Apache mailing lists or google for the CONNECT request 
method for more details. If this is the only evidence then I hope you can 
sleep a little sounder after digesting your reading material.

-- 
#------------------------------------------------------------#
|      John Edwards    Email: John.Edwards at uk.com            |
|                                                            |
|     "Security vulnerabilities are here to stay."           |
|   Scott Culp, Manager, Microsoft Security Response Center  |
#------------------------------------------------------------#

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list