Odd entries in my Apache logs...
 

Windows XP Pro SP 1 Including all available patches on windowsupdate
Port used for server: 80


I am very new to servers, but have been setting up and working on learning/running Apache 2 web server.

Today in the logs I had some weird connections which I'll show below.

The ones I'm most wierded out by are the "1.3.3.7:1337" connections. I know this isn't a random grouping of numbers (leet) so it makes me wonder if there is a possibility that someone could have done some bad things on my server? I can't understand the status codes (405, 235, 200, 489)

Thanks for your assistance:



67.20.204.16 - - [11/Dec/2003:09:16:51 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235


209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "CONNECT 209.218.69.253:802 HTTP/1.0" 405 235
209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "POST http://209.218.69.253:802/ HTTP/1.0" 200 489

62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235

216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "CONNECT 216.194.70.6:6000 HTTP/1.0" 405 235
216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "POST http://216.194.70.6:6000/ HTTP/1.0" 200 489
62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 23

Not only that, but it isnt a valid IP address. I dont know those codes, but I would start digging around to find them...

Possibly related to nimda or codered, perhaps?

Bingo, that's a restricted IP table.
google that IP set and see who it's restricted to. I think it's reserved for military subnets (internal) and doesn't exist on the open internet, which is very strange.
In otherwords, it's theoreticly not possible for a machine on the net to function with that IP.

Have you looked at any internal connections from machines in your home that may be sending rouge packets on a badly configured subnet? <-----------best guess.

1.3.3.7 is going to be a forged IP address,, i would say is NIMDA since 1.3.3.7 is the one it attempts first.


the rest are either port scanners, worms or search robots

62.49.122.2 - mailgate.ferrodesign.co.uk , probably a smtp server, maybes its an open proxy thats being abused

67.20.204.16 co-briar-u1-c4h-16.clspco.adelphia.net some end user whos either scanning or has a worm or virus infection

209.218.69.253 - proxyscan.freenode.net someones/thing is scanning you for open proxies, check you dont have one

216.194.70.12 proxy.scanner.for.irc.mircx.com its becoming clearer whats going on, i think, are you using IRC ? on different networks, their proxyscanners are checking your ip for an open proxy when you connect. (or someone else is somehow)

IRC is a haven for crackers sometimes, so make sure your firewalls are working especially if you don't know the irc network very well , the proxy scanners are a normal part of most irc servers, and they'd likely kill or k/gline you if they detected one on your system (if its you running irc on other servers)

Thanks guys. The IRC part is right, mircx scans for open proxy and I didn't realize it'd be hitting my log.

1.3.3.7 is reserved for IANA.

To be safe, I blocked a few of the IPs (not the mirc scan one) and put some <Limits> in my conf. I feel better now.

thanks.

Just to be clear, its not actually using 1.3.3.7, thats the fake address used by NIMDA, the ip it came from should be the first one.