12-11-2003, 03:37 PM | #1 (permalink) |
Insane
Location: A fuzzy cloud.
|
Odd entries in my Apache logs...
Windows XP Pro SP 1 Including all available patches on windowsupdate
Port used for server: 80 I am very new to servers, but have been setting up and working on learning/running Apache 2 web server. Today in the logs I had some weird connections which I'll show below. The ones I'm most wierded out by are the "1.3.3.7:1337" connections. I know this isn't a random grouping of numbers (leet) so it makes me wonder if there is a possibility that someone could have done some bad things on my server? I can't understand the status codes (405, 235, 200, 489) Thanks for your assistance: 67.20.204.16 - - [11/Dec/2003:09:16:51 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235 209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "CONNECT 209.218.69.253:802 HTTP/1.0" 405 235 209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "POST http://209.218.69.253:802/ HTTP/1.0" 200 489 62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235 216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "CONNECT 216.194.70.6:6000 HTTP/1.0" 405 235 216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "POST http://216.194.70.6:6000/ HTTP/1.0" 200 489 62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 23 Last edited by Realizm; 12-11-2003 at 03:44 PM.. |
12-11-2003, 06:21 PM | #2 (permalink) |
beauty in the breakdown
Location: Chapel Hill, NC
|
Not only that, but it isnt a valid IP address. I dont know those codes, but I would start digging around to find them...
__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." --Plato |
12-11-2003, 07:51 PM | #4 (permalink) | |
Loves my girl in thongs
Location: North of Mexico, South of Canada
|
Quote:
google that IP set and see who it's restricted to. I think it's reserved for military subnets (internal) and doesn't exist on the open internet, which is very strange. In otherwords, it's theoreticly not possible for a machine on the net to function with that IP. Have you looked at any internal connections from machines in your home that may be sending rouge packets on a badly configured subnet? <-----------best guess.
__________________
Seen on an employer evaluation: "The wheel is turning but the hamsters dead" ____________________________ Is arch13 really a porn diety ? find out after the film at 11. -Nanofever |
|
12-11-2003, 08:12 PM | #5 (permalink) |
Junkie
Location: North Hollywood
|
1.3.3.7 is going to be a forged IP address,, i would say is NIMDA since 1.3.3.7 is the one it attempts first.
the rest are either port scanners, worms or search robots 62.49.122.2 - mailgate.ferrodesign.co.uk , probably a smtp server, maybes its an open proxy thats being abused 67.20.204.16 co-briar-u1-c4h-16.clspco.adelphia.net some end user whos either scanning or has a worm or virus infection 209.218.69.253 - proxyscan.freenode.net someones/thing is scanning you for open proxies, check you dont have one 216.194.70.12 proxy.scanner.for.irc.mircx.com its becoming clearer whats going on, i think, are you using IRC ? on different networks, their proxyscanners are checking your ip for an open proxy when you connect. (or someone else is somehow) IRC is a haven for crackers sometimes, so make sure your firewalls are working especially if you don't know the irc network very well , the proxy scanners are a normal part of most irc servers, and they'd likely kill or k/gline you if they detected one on your system (if its you running irc on other servers) |
12-11-2003, 08:20 PM | #6 (permalink) |
Insane
Location: A fuzzy cloud.
|
Thanks guys. The IRC part is right, mircx scans for open proxy and I didn't realize it'd be hitting my log.
1.3.3.7 is reserved for IANA. To be safe, I blocked a few of the IPs (not the mirc scan one) and put some <Limits> in my conf. I feel better now. thanks. |
Tags |
apache, entries, logs, odd |
|
|