Realizm

Windows XP Pro SP 1 Including all available patches on windowsupdate
Port used for server: 80


I am very new to servers, but have been setting up and working on learning/running Apache 2 web server.

Today in the logs I had some weird connections which I'll show below.

The ones I'm most wierded out by are the "1.3.3.7:1337" connections. I know this isn't a random grouping of numbers (leet) so it makes me wonder if there is a possibility that someone could have done some bad things on my server? I can't understand the status codes (405, 235, 200, 489)

Thanks for your assistance:



67.20.204.16 - - [11/Dec/2003:09:16:51 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235


209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "CONNECT 209.218.69.253:802 HTTP/1.0" 405 235
209.218.69.253 - - [09/Dec/2003:20:59:02 -0600] "POST http://209.218.69.253:802/ HTTP/1.0" 200 489

62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 235

216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "CONNECT 216.194.70.6:6000 HTTP/1.0" 405 235
216.194.70.12 - - [11/Dec/2003:12:00:32 -0600] "POST http://216.194.70.6:6000/ HTTP/1.0" 200 489
62.49.122.2 - - [11/Dec/2003:16:41:22 -0600] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 23

sailor

Not only that, but it isnt a valid IP address. I dont know those codes, but I would start digging around to find them...

__________________
"Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws."
--Plato

Xirax

Possibly related to nimda or codered, perhaps?

__________________
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

arch13

Bingo, that's a restricted IP table.
google that IP set and see who it's restricted to. I think it's reserved for military subnets (internal) and doesn't exist on the open internet, which is very strange.
In otherwords, it's theoreticly not possible for a machine on the net to function with that IP.

Have you looked at any internal connections from machines in your home that may be sending rouge packets on a badly configured subnet? <-----------best guess.

__________________
Seen on an employer evaluation:

"The wheel is turning but the hamsters dead"
____________________________
Is arch13 really a porn diety ? find out after the film at 11.
-Nanofever

charliex

1.3.3.7 is going to be a forged IP address,, i would say is NIMDA since 1.3.3.7 is the one it attempts first.


the rest are either port scanners, worms or search robots

62.49.122.2 - mailgate.ferrodesign.co.uk , probably a smtp server, maybes its an open proxy thats being abused

67.20.204.16 co-briar-u1-c4h-16.clspco.adelphia.net some end user whos either scanning or has a worm or virus infection

209.218.69.253 - proxyscan.freenode.net someones/thing is scanning you for open proxies, check you dont have one

216.194.70.12 proxy.scanner.for.irc.mircx.com its becoming clearer whats going on, i think, are you using IRC ? on different networks, their proxyscanners are checking your ip for an open proxy when you connect. (or someone else is somehow)

IRC is a haven for crackers sometimes, so make sure your firewalls are working especially if you don't know the irc network very well , the proxy scanners are a normal part of most irc servers, and they'd likely kill or k/gline you if they detected one on your system (if its you running irc on other servers)

Realizm

Thanks guys. The IRC part is right, mircx scans for open proxy and I didn't realize it'd be hitting my log.

1.3.3.7 is reserved for IANA.

To be safe, I blocked a few of the IPs (not the mirc scan one) and put some <Limits> in my conf. I feel better now.

thanks.

charliex

Just to be clear, its not actually using 1.3.3.7, thats the fake address used by NIMDA, the ip it came from should be the first one.