Funny Lines in Access_log - Security

This is a discussion on Funny Lines in Access_log - Security ; Group; I've been running a PPro 200 DEC server for a number of years. O/S is Red Hast 7.3 with patches. I have a couple of lines in my access_log for httpd i.e. CONNECT irc.chatstop.net:6667 It appears someone is trying ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 23

Thread: Funny Lines in Access_log

  1. Funny Lines in Access_log

    Group;

    I've been running a PPro 200 DEC server for a number of years. O/S is Red
    Hast 7.3 with patches.

    I have a couple of lines in my access_log for httpd i.e. CONNECT
    irc.chatstop.net:6667

    It appears someone is trying to connect thru my machine to that server on
    port 6667.

    What is all this about? What will someone gain of they can get thru my
    machine?

    Thanks

    Doug



  2. Re: Funny Lines in Access_log

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Doug Holtz NOSPAM in adress wrote, On 03/16/2006 03:15 AM:
    > Group;
    >
    > I've been running a PPro 200 DEC server for a number of years. O/S is Red
    > Hast 7.3 with patches.
    >
    > I have a couple of lines in my access_log for httpd i.e. CONNECT
    > irc.chatstop.net:6667
    >
    > It appears someone is trying to connect thru my machine to that server on
    > port 6667.
    >
    > What is all this about? What will someone gain of they can get thru my
    > machine?
    >
    > Thanks
    >
    > Doug
    >
    >


    The important thing is how the server responds to it, either a 405
    method not allowed or a 301/302 permanent /temporary redirect.

    the CONNECT method is used to establish a proxy. 6667 is a default IRC
    (Internet Relay Chat) port. This can be used to remove traces, if
    someone connects to a botnet for instance, as well as something as
    trivial as ban evasion from an IRC channel.

    - --
    - ----------------------------
    Kristian Fiskerstrand
    http://www.kfwebs.net
    - ----------------------------
    http://www.secure-my-email.com
    http://www.secure-my-internet.com
    http://www.yourblog.in
    - ----------------------------
    Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3-cvs (GNU/Linux)
    Comment: http://www.secure-my-email.com
    Comment: http://www.secure-my-internet.com

    iQIVAwUBRBjUSBbgz41rC5UIAQhR2w//RFUOl+QSLNsnRVWqXGgPZ2bMB2Fqeh80
    yooPWLTNPnvCAtr2ZRmz6ScM9+ygjRXTNi72hvH8fFK6wzcupn hxgbXH6q50r7uH
    AT1ZyUZqJy3xDAHrYjo90f056UTbM1or8eIgrNEwEKg9pX6l77 lK18TB81+eTS2A
    V4eKJ893VF12lHBffCd2/1T5B59GZxzf4L6I9wh3Dr9Hpc43iIqNShFbYhJnV1zQ
    roZKxIU0k7autAmcxgEOLwynU/2lZ7Jp2KS51pp45NnImsb0oRYsL0tRVSaNXmgQ
    V9rAxc6i3rQl6KVm35yE3NXZ7RpFwXZiM24PZkb3ecn/jT7O694qb/zPawr+xVfe
    b4bsTRapl08and0EN+WON6xM8SObkADfn0ijigHSojzLPdPFou N8rLJHI/VUy+kQ
    kXtMO3Y/Ll8ldwGhSUIV/2LhrDVG6pp1WIP38FrfYiCigTdB84X/W5MvQIg+domB
    14lat7s6uCek1ytjmR259J8NutlvcUG9mfoag8oSCF3P3LVQxj 4mH5SRFXmVIC1g
    WuENkZiyGjARrK74tvzHd0hcIVwJwRHJID4hgX7LcOkXfashMA PGD1oy6FtaGqha
    GmKBqojGrzkVgn9Xj1sn3ImYat2kljm5w2zqpFu4/Um6iKt5q6NuuQDpJzU6tPUk
    xLo09hiigQQ=
    =la78
    -----END PGP SIGNATURE-----

  3. Re: Funny Lines in Access_log

    "Doug Holtz NOSPAM in adress" (06-03-16 02:15:05):

    > I have a couple of lines in my access_log for httpd i.e. CONNECT
    > irc.chatstop.net:6667


    Those lines show attempts to abuse your machine as a proxy server to
    connect to the given IRC server. Check the response code in the access
    log. If it's anything else than 403 (especially if it's 200), then you
    are in trouble. Don't load the proxy modules, if you don't intend to
    use them. Remove or comment out all LoadModule lines, which deal with
    proxies (e.g. proxy_connect_module).


    > It appears someone is trying to connect thru my machine to that server
    > on port 6667.


    Exactly.


    > What is all this about? What will someone gain of they can get thru
    > my machine?


    Simple. On IRC the attacker might have two possible intentions, or both
    in most cases. They are going to increase their privacy by hiding their
    real IP address, or they would like to create mass clones. On IRC, most
    servers do not allow more than two or three connections per IP address
    (in other words: you can't chat with more than 2/3 nicknames
    simultaneously -- not directly). For each proxy server an attacker
    finds, they get another 2/3 connections to the IRC server. Doing this
    multiple times to create a lot of connections to the network is called
    'mass cloning'. This makes some DoS- and brute force attacks against
    the IRC network or its users possible.

    Most IRC networks detect such attempts and ban almost all proxied
    connections automatically. But this is not always the case -- for
    example if the proxy server is using a non-standard port number, or the
    open proxy defense package the network uses is unfamiliar with the proxy
    protocol used.

    By the way, the default configuration of Apache doesn't let proxied
    connections pass. Either the proxy functionality is not activated, or
    you have to authenticate first to use the proxy (a properly configured
    closed proxy). If this is not the case (i.e. anybody can use the
    proxy), then it's called an open proxy. In most cases, this indicates
    failure to configure Apache (or whatever) properly.

    As said, whether the attempts have succeeded depends on the response
    code. If they failed, it's 403. If it's anything else, then your host
    is theoretically exploitable. If it's 200, then it has already been
    exploited.


    Regards.

  4. Re: Funny Lines in Access_log

    On Thu, 16 Mar 2006 02:15:05 GMT, "Doug Holtz NOSPAM in adress" wrote:

    >Group;
    >
    >I've been running a PPro 200 DEC server for a number of years. O/S is Red
    >Hast 7.3 with patches.
    >
    >I have a couple of lines in my access_log for httpd i.e. CONNECT
    >irc.chatstop.net:6667
    >
    >It appears someone is trying to connect thru my machine to that server on
    >port 6667.
    >
    >What is all this about? What will someone gain of they can get thru my
    >machine?


    Proxy connection to services via your machine --> you get blamed for
    bad stuff 'cos you acting as unwitting proxy. Bad.

    Redhat 7.3 is well passed its use by date, perhaps an upgrade to some
    less vulnerable distro?

    Grant.
    --
    Memory fault -- brain fried

  5. Re: Funny Lines in Access_log

    "Doug Holtz NOSPAM in adress" writes:

    >Group;


    >I've been running a PPro 200 DEC server for a number of years. O/S is Red
    >Hast 7.3 with patches.


    >I have a couple of lines in my access_log for httpd i.e. CONNECT
    >irc.chatstop.net:6667


    >It appears someone is trying to connect thru my machine to that server on
    >port 6667.


    >What is all this about? What will someone gain of they can get thru my
    >machine?


    Anonymity. If they can make the cops think it was you and your machine
    rather than theirs, guess who goes to jail.

    Redhat 7.3 is ancient. And completely unsupported. Upgrade.


  6. Re: Funny Lines in Access_log



    Unruh wrote:
    > "Doug Holtz NOSPAM in adress" writes:
    >
    >
    >>Group;

    >
    >
    >>I've been running a PPro 200 DEC server for a number of years. O/S is Red
    >>Hast 7.3 with patches.

    >
    >
    >>I have a couple of lines in my access_log for httpd i.e. CONNECT
    >>irc.chatstop.net:6667

    >
    >
    >>It appears someone is trying to connect thru my machine to that server on
    >>port 6667.

    >
    >
    >>What is all this about? What will someone gain of they can get thru my
    >>machine?

    >
    >
    > Anonymity. If they can make the cops think it was you and your machine
    > rather than theirs, guess who goes to jail.
    >
    > Redhat 7.3 is ancient. And completely unsupported. Upgrade.


    Yes it'a ancient but you can always find security update
    because it's a very popular distribution

    http://download.fedoralegacy.org/red.../updates/i386/
    for sample
    apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006
    19:35 540K


    >


  7. Re: Funny Lines in Access_log

    Philippe WEILL wrote:

    >> Redhat 7.3 is ancient. And completely unsupported. Upgrade.

    >
    > Yes it'a ancient but you can always find security update
    > because it's a very popular distribution
    >
    > http://download.fedoralegacy.org/red.../updates/i386/
    > for sample
    > apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006
    > 19:35 540K


    Fedora Legacy does _some_ security coverage for RH 7.3, but it's very
    spotty. You are strongly advised not to rely on that. Such systems
    remain, in general, unsafe in 2006.

    --
    Cheers,
    Rick Moen Support your local medical examiner: Die strangely.
    rick@linuxmafia.com

  8. Re: Funny Lines in Access_log

    On Thu, 16 Mar 2006 13:14:19 -0500, Rick Moen wrote:

    >Philippe WEILL wrote:
    >
    >>> Redhat 7.3 is ancient. And completely unsupported. Upgrade.

    >>
    >> Yes it'a ancient but you can always find security update
    >> because it's a very popular distribution
    >>
    >> http://download.fedoralegacy.org/red.../updates/i386/
    >> for sample
    >> apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006
    >> 19:35 540K

    >
    >Fedora Legacy does _some_ security coverage for RH 7.3, but it's very
    >spotty. You are strongly advised not to rely on that. Such systems
    >remain, in general, unsafe in 2006.


    Sounds like OP is gonna stay in the dark until the cops take away his
    system for evidence. Some people focus on security only after disaster
    strikes, prior to that "It cannot happen to me" seems to work.

    Grant.
    --
    Memory fault -- brain fried

  9. Re: Funny Lines in Access_log

    I set up a new CentOS server on a newer P4 chassis.

    Thanks for the reply.

    Doug

    "Grant" wrote in message
    news:mjlh12lcah1rmbqs94rac7apa5j773jkre@4ax.com...
    > On Thu, 16 Mar 2006 02:15:05 GMT, "Doug Holtz NOSPAM in adress"
    > wrote:
    >
    >>Group;
    >>
    >>I've been running a PPro 200 DEC server for a number of years. O/S is Red
    >>Hast 7.3 with patches.
    >>
    >>I have a couple of lines in my access_log for httpd i.e. CONNECT
    >>irc.chatstop.net:6667
    >>
    >>It appears someone is trying to connect thru my machine to that server on
    >>port 6667.
    >>
    >>What is all this about? What will someone gain of they can get thru my
    >>machine?

    >
    > Proxy connection to services via your machine --> you get blamed for
    > bad stuff 'cos you acting as unwitting proxy. Bad.
    >
    > Redhat 7.3 is well passed its use by date, perhaps an upgrade to some
    > less vulnerable distro?
    >
    > Grant.
    > --
    > Memory fault -- brain fried




  10. Re: Funny Lines in Access_log

    Thanks group.

    My Red Hat 7.3 with updates is down I will think about what to do with
    it in the future.

    In the meantime a new CentOS 4.3 is in it's place on a different box. I
    hope this is secure. I still need to check my logs regarding response codes
    and will do it soon.

    Doug

    "Grant" wrote in message
    news:uokj12dkv97eoahiba3nt56071j80sms5t@4ax.com...
    > On Thu, 16 Mar 2006 13:14:19 -0500, Rick Moen wrote:
    >
    >>Philippe WEILL wrote:
    >>
    >>>> Redhat 7.3 is ancient. And completely unsupported. Upgrade.
    >>>
    >>> Yes it'a ancient but you can always find security update
    >>> because it's a very popular distribution
    >>>
    >>> http://download.fedoralegacy.org/red.../updates/i386/
    >>> for sample
    >>> apache-1.3.27-9.legacy.i386.rpm
    >>> 08-Feb-2006
    >>> 19:35 540K

    >>
    >>Fedora Legacy does _some_ security coverage for RH 7.3, but it's very
    >>spotty. You are strongly advised not to rely on that. Such systems
    >>remain, in general, unsafe in 2006.

    >
    > Sounds like OP is gonna stay in the dark until the cops take away his
    > system for evidence. Some people focus on security only after disaster
    > strikes, prior to that "It cannot happen to me" seems to work.
    >
    > Grant.
    > --
    > Memory fault -- brain fried




  11. Re: Funny Lines in Access_log

    Thanks Kristian;

    I will check the logs. The server is down now.

    Doug

    "Kristian Fiskerstrand" wrote in
    message news:Hu4Sf.7649$zc1.5912@amstwist00...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA256
    >
    > Doug Holtz NOSPAM in adress wrote, On 03/16/2006 03:15 AM:
    >> Group;
    >>
    >> I've been running a PPro 200 DEC server for a number of years. O/S is
    >> Red
    >> Hast 7.3 with patches.
    >>
    >> I have a couple of lines in my access_log for httpd i.e. CONNECT
    >> irc.chatstop.net:6667
    >>
    >> It appears someone is trying to connect thru my machine to that server on
    >> port 6667.
    >>
    >> What is all this about? What will someone gain of they can get thru my
    >> machine?
    >>
    >> Thanks
    >>
    >> Doug
    >>
    >>

    >
    > The important thing is how the server responds to it, either a 405
    > method not allowed or a 301/302 permanent /temporary redirect.
    >
    > the CONNECT method is used to establish a proxy. 6667 is a default IRC
    > (Internet Relay Chat) port. This can be used to remove traces, if
    > someone connects to a botnet for instance, as well as something as
    > trivial as ban evasion from an IRC channel.
    >
    > - --
    > - ----------------------------
    > Kristian Fiskerstrand
    > http://www.kfwebs.net
    > - ----------------------------
    > http://www.secure-my-email.com
    > http://www.secure-my-internet.com
    > http://www.yourblog.in
    > - ----------------------------
    > Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.3-cvs (GNU/Linux)
    > Comment: http://www.secure-my-email.com
    > Comment: http://www.secure-my-internet.com
    >
    > iQIVAwUBRBjUSBbgz41rC5UIAQhR2w//RFUOl+QSLNsnRVWqXGgPZ2bMB2Fqeh80
    > yooPWLTNPnvCAtr2ZRmz6ScM9+ygjRXTNi72hvH8fFK6wzcupn hxgbXH6q50r7uH
    > AT1ZyUZqJy3xDAHrYjo90f056UTbM1or8eIgrNEwEKg9pX6l77 lK18TB81+eTS2A
    > V4eKJ893VF12lHBffCd2/1T5B59GZxzf4L6I9wh3Dr9Hpc43iIqNShFbYhJnV1zQ
    > roZKxIU0k7autAmcxgEOLwynU/2lZ7Jp2KS51pp45NnImsb0oRYsL0tRVSaNXmgQ
    > V9rAxc6i3rQl6KVm35yE3NXZ7RpFwXZiM24PZkb3ecn/jT7O694qb/zPawr+xVfe
    > b4bsTRapl08and0EN+WON6xM8SObkADfn0ijigHSojzLPdPFou N8rLJHI/VUy+kQ
    > kXtMO3Y/Ll8ldwGhSUIV/2LhrDVG6pp1WIP38FrfYiCigTdB84X/W5MvQIg+domB
    > 14lat7s6uCek1ytjmR259J8NutlvcUG9mfoag8oSCF3P3LVQxj 4mH5SRFXmVIC1g
    > WuENkZiyGjARrK74tvzHd0hcIVwJwRHJID4hgX7LcOkXfashMA PGD1oy6FtaGqha
    > GmKBqojGrzkVgn9Xj1sn3ImYat2kljm5w2zqpFu4/Um6iKt5q6NuuQDpJzU6tPUk
    > xLo09hiigQQ=
    > =la78
    > -----END PGP SIGNATURE-----




  12. Re: Funny Lines in Access_log

    Thanks Ertugrul;

    I'll check the logs. I don't think IRC is installed, but based on the
    replies I will check.

    Doug

    "Ertugrul Soeylemez" wrote in message
    news:20060316040550.3a1663ed@kill.mine.nu...
    > "Doug Holtz NOSPAM in adress" (06-03-16
    > 02:15:05):
    >
    >> I have a couple of lines in my access_log for httpd i.e. CONNECT
    >> irc.chatstop.net:6667

    >
    > Those lines show attempts to abuse your machine as a proxy server to
    > connect to the given IRC server. Check the response code in the access
    > log. If it's anything else than 403 (especially if it's 200), then you
    > are in trouble. Don't load the proxy modules, if you don't intend to
    > use them. Remove or comment out all LoadModule lines, which deal with
    > proxies (e.g. proxy_connect_module).
    >
    >
    >> It appears someone is trying to connect thru my machine to that server
    >> on port 6667.

    >
    > Exactly.
    >
    >
    >> What is all this about? What will someone gain of they can get thru
    >> my machine?

    >
    > Simple. On IRC the attacker might have two possible intentions, or both
    > in most cases. They are going to increase their privacy by hiding their
    > real IP address, or they would like to create mass clones. On IRC, most
    > servers do not allow more than two or three connections per IP address
    > (in other words: you can't chat with more than 2/3 nicknames
    > simultaneously -- not directly). For each proxy server an attacker
    > finds, they get another 2/3 connections to the IRC server. Doing this
    > multiple times to create a lot of connections to the network is called
    > 'mass cloning'. This makes some DoS- and brute force attacks against
    > the IRC network or its users possible.
    >
    > Most IRC networks detect such attempts and ban almost all proxied
    > connections automatically. But this is not always the case -- for
    > example if the proxy server is using a non-standard port number, or the
    > open proxy defense package the network uses is unfamiliar with the proxy
    > protocol used.
    >
    > By the way, the default configuration of Apache doesn't let proxied
    > connections pass. Either the proxy functionality is not activated, or
    > you have to authenticate first to use the proxy (a properly configured
    > closed proxy). If this is not the case (i.e. anybody can use the
    > proxy), then it's called an open proxy. In most cases, this indicates
    > failure to configure Apache (or whatever) properly.
    >
    > As said, whether the attempts have succeeded depends on the response
    > code. If they failed, it's 403. If it's anything else, then your host
    > is theoretically exploitable. If it's 200, then it has already been
    > exploited.
    >
    >
    > Regards.




  13. Re: Funny Lines in Access_log

    Kristian;

    I checked my log. There is no response to this request. I also do not have
    this port open on my router. Currently the machine is not subject to
    internet in bound traffic.

    Doug

    "Kristian Fiskerstrand" wrote in
    message news:Hu4Sf.7649$zc1.5912@amstwist00...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA256
    >
    > Doug Holtz NOSPAM in adress wrote, On 03/16/2006 03:15 AM:
    >> Group;
    >>
    >> I've been running a PPro 200 DEC server for a number of years. O/S is
    >> Red
    >> Hast 7.3 with patches.
    >>
    >> I have a couple of lines in my access_log for httpd i.e. CONNECT
    >> irc.chatstop.net:6667
    >>
    >> It appears someone is trying to connect thru my machine to that server on
    >> port 6667.
    >>
    >> What is all this about? What will someone gain of they can get thru my
    >> machine?
    >>
    >> Thanks
    >>
    >> Doug
    >>
    >>

    >
    > The important thing is how the server responds to it, either a 405
    > method not allowed or a 301/302 permanent /temporary redirect.
    >
    > the CONNECT method is used to establish a proxy. 6667 is a default IRC
    > (Internet Relay Chat) port. This can be used to remove traces, if
    > someone connects to a botnet for instance, as well as something as
    > trivial as ban evasion from an IRC channel.
    >
    > - --
    > - ----------------------------
    > Kristian Fiskerstrand
    > http://www.kfwebs.net
    > - ----------------------------
    > http://www.secure-my-email.com
    > http://www.secure-my-internet.com
    > http://www.yourblog.in
    > - ----------------------------
    > Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.3-cvs (GNU/Linux)
    > Comment: http://www.secure-my-email.com
    > Comment: http://www.secure-my-internet.com
    >
    > iQIVAwUBRBjUSBbgz41rC5UIAQhR2w//RFUOl+QSLNsnRVWqXGgPZ2bMB2Fqeh80
    > yooPWLTNPnvCAtr2ZRmz6ScM9+ygjRXTNi72hvH8fFK6wzcupn hxgbXH6q50r7uH
    > AT1ZyUZqJy3xDAHrYjo90f056UTbM1or8eIgrNEwEKg9pX6l77 lK18TB81+eTS2A
    > V4eKJ893VF12lHBffCd2/1T5B59GZxzf4L6I9wh3Dr9Hpc43iIqNShFbYhJnV1zQ
    > roZKxIU0k7autAmcxgEOLwynU/2lZ7Jp2KS51pp45NnImsb0oRYsL0tRVSaNXmgQ
    > V9rAxc6i3rQl6KVm35yE3NXZ7RpFwXZiM24PZkb3ecn/jT7O694qb/zPawr+xVfe
    > b4bsTRapl08and0EN+WON6xM8SObkADfn0ijigHSojzLPdPFou N8rLJHI/VUy+kQ
    > kXtMO3Y/Ll8ldwGhSUIV/2LhrDVG6pp1WIP38FrfYiCigTdB84X/W5MvQIg+domB
    > 14lat7s6uCek1ytjmR259J8NutlvcUG9mfoag8oSCF3P3LVQxj 4mH5SRFXmVIC1g
    > WuENkZiyGjARrK74tvzHd0hcIVwJwRHJID4hgX7LcOkXfashMA PGD1oy6FtaGqha
    > GmKBqojGrzkVgn9Xj1sn3ImYat2kljm5w2zqpFu4/Um6iKt5q6NuuQDpJzU6tPUk
    > xLo09hiigQQ=
    > =la78
    > -----END PGP SIGNATURE-----




  14. Re: Funny Lines in Access_log

    Ertugrul;

    I believe the error codes are 405 and 311. This IP address tried twice in a
    13 minute span and didn't come back. I haven't run nmap or nslookup or
    anything on this address. I don't have time.

    I believe my machine to be OK.

    Do you?

    Doug

    "Ertugrul Soeylemez" wrote in message
    news:20060316040550.3a1663ed@kill.mine.nu...
    > "Doug Holtz NOSPAM in adress" (06-03-16
    > 02:15:05):
    >
    >> I have a couple of lines in my access_log for httpd i.e. CONNECT
    >> irc.chatstop.net:6667

    >
    > Those lines show attempts to abuse your machine as a proxy server to
    > connect to the given IRC server. Check the response code in the access
    > log. If it's anything else than 403 (especially if it's 200), then you
    > are in trouble. Don't load the proxy modules, if you don't intend to
    > use them. Remove or comment out all LoadModule lines, which deal with
    > proxies (e.g. proxy_connect_module).
    >
    >
    >> It appears someone is trying to connect thru my machine to that server
    >> on port 6667.

    >
    > Exactly.
    >
    >
    >> What is all this about? What will someone gain of they can get thru
    >> my machine?

    >
    > Simple. On IRC the attacker might have two possible intentions, or both
    > in most cases. They are going to increase their privacy by hiding their
    > real IP address, or they would like to create mass clones. On IRC, most
    > servers do not allow more than two or three connections per IP address
    > (in other words: you can't chat with more than 2/3 nicknames
    > simultaneously -- not directly). For each proxy server an attacker
    > finds, they get another 2/3 connections to the IRC server. Doing this
    > multiple times to create a lot of connections to the network is called
    > 'mass cloning'. This makes some DoS- and brute force attacks against
    > the IRC network or its users possible.
    >
    > Most IRC networks detect such attempts and ban almost all proxied
    > connections automatically. But this is not always the case -- for
    > example if the proxy server is using a non-standard port number, or the
    > open proxy defense package the network uses is unfamiliar with the proxy
    > protocol used.
    >
    > By the way, the default configuration of Apache doesn't let proxied
    > connections pass. Either the proxy functionality is not activated, or
    > you have to authenticate first to use the proxy (a properly configured
    > closed proxy). If this is not the case (i.e. anybody can use the
    > proxy), then it's called an open proxy. In most cases, this indicates
    > failure to configure Apache (or whatever) properly.
    >
    > As said, whether the attempts have succeeded depends on the response
    > code. If they failed, it's 403. If it's anything else, then your host
    > is theoretically exploitable. If it's 200, then it has already been
    > exploited.
    >
    >
    > Regards.




  15. Re: Funny Lines in Access_log

    Phillippe;

    I am running apache 1.3.27-9.legacy. However, I will be using my new P4 box
    with CentOS 4.3 and yum updates for this task. Maybe I will upgrade this
    old PPro box as well. Wouldn't hurt. I only have 160 MB of RAM, however.

    Doug

    "Philippe WEILL" wrote in message
    news:dvbicc$1po3$1@vishnu.jussieu.fr...
    >
    >
    > Unruh wrote:
    >> "Doug Holtz NOSPAM in adress" writes:
    >>
    >>
    >>>Group;

    >>
    >>
    >>>I've been running a PPro 200 DEC server for a number of years. O/S is
    >>>Red Hast 7.3 with patches.

    >>
    >>
    >>>I have a couple of lines in my access_log for httpd i.e. CONNECT
    >>>irc.chatstop.net:6667

    >>
    >>
    >>>It appears someone is trying to connect thru my machine to that server on
    >>>port 6667.

    >>
    >>
    >>>What is all this about? What will someone gain of they can get thru my
    >>>machine?

    >>
    >>
    >> Anonymity. If they can make the cops think it was you and your machine
    >> rather than theirs, guess who goes to jail.
    >>
    >> Redhat 7.3 is ancient. And completely unsupported. Upgrade.

    >
    > Yes it'a ancient but you can always find security update
    > because it's a very popular distribution
    >
    > http://download.fedoralegacy.org/red.../updates/i386/
    > for sample
    > apache-1.3.27-9.legacy.i386.rpm 08-Feb-2006
    > 19:35 540K
    >
    >
    >>




  16. Re: Funny Lines in Access_log

    Grant;

    My CentOS 4.3 box has the following ports open: 80, 111, 139, 443, 445, 941,
    and 6000. Only 941 is unknown. My router has only the 4-5 ports open I
    need.

    Seems OK as of now.

    Any comments welcome.

    Doug

    "Grant" wrote in message
    news:uokj12dkv97eoahiba3nt56071j80sms5t@4ax.com...
    > On Thu, 16 Mar 2006 13:14:19 -0500, Rick Moen wrote:
    >
    >>Philippe WEILL wrote:
    >>
    >>>> Redhat 7.3 is ancient. And completely unsupported. Upgrade.
    >>>
    >>> Yes it'a ancient but you can always find security update
    >>> because it's a very popular distribution
    >>>
    >>> http://download.fedoralegacy.org/red.../updates/i386/
    >>> for sample
    >>> apache-1.3.27-9.legacy.i386.rpm
    >>> 08-Feb-2006
    >>> 19:35 540K

    >>
    >>Fedora Legacy does _some_ security coverage for RH 7.3, but it's very
    >>spotty. You are strongly advised not to rely on that. Such systems
    >>remain, in general, unsafe in 2006.

    >
    > Sounds like OP is gonna stay in the dark until the cops take away his
    > system for evidence. Some people focus on security only after disaster
    > strikes, prior to that "It cannot happen to me" seems to work.
    >
    > Grant.
    > --
    > Memory fault -- brain fried




  17. Re: Funny Lines in Access_log

    "Doug Holtz NOSPAM in adress" wrote in message
    :QclUf.14002$Eg2.5155@tornado.rdc-kc.rr.com

    > I believe the error codes are 405 and 311. This IP address tried
    > twice in a 13 minute span and didn't come back. I haven't run nmap
    > or nslookup or anything on this address. I don't have time.


    Let's see, you have the time to make several Usenet posts about the matter,
    but don't have the few seconds it will take to type the commands
    "nslookup -sil www.xxx.yyy.zzz" or (as root) "nmap -sS www.xxx.yyy.zzz" ?


  18. Re: Funny Lines in Access_log

    On Wed, 22 Mar 2006 23:42:31 +0000, Doug Holtz NOSPAM in adress wrote:

    > Grant;
    >
    > My CentOS 4.3 box has the following ports open: 80, 111, 139, 443, 445,
    > 941, and 6000. Only 941 is unknown. My router has only the 4-5 ports
    > open I need.
    >
    > Seems OK as of now.
    >
    > Any comments welcome.
    >
    > Doug
    >

    ==================================================
    Hello. To identify the process responsible for the use
    of port 941, I propose the lsof utility.

    As root on your host type :
    # /usr/sbin/lsof -P | grep 941

    As an example (on my local host) with port 8118 (used by privoxy)

    # /usr/sbin/lsof -P | grep 8118
    privoxy 4530 privoxy 3u IPv4 8353293

    # cat /etc/services | grep 8118
    Privoxy 8118/tcp # Privacy Proxy

    ==================================================

    Now, amongst your port list, you say 111. This Sun's RPC PortMapper.

    This is used to assign ports to NFS networking.
    Since I do not see in your open port list the NFS port being used,
    Its probably safer to turn off RPC PortMapper.

    Hope it help.



  19. Re: Funny Lines in Access_log

    Yes, I'm moving and time is a factor. I turned the server off. I checked
    the logs and I ran nmap against the machine from my CentOS machine and port
    6667 came back "denied" or something. If I didn't like this stuff, I
    wouldn't be bothering. Thanks for helping.

    Doug

    "james godwin" wrote in message
    news:48e79dFjsps4U1@individual.net...
    > "Doug Holtz NOSPAM in adress" wrote in message
    > :QclUf.14002$Eg2.5155@tornado.rdc-kc.rr.com
    >
    >> I believe the error codes are 405 and 311. This IP address tried
    >> twice in a 13 minute span and didn't come back. I haven't run nmap
    >> or nslookup or anything on this address. I don't have time.

    >
    > Let's see, you have the time to make several Usenet posts about the
    > matter,
    > but don't have the few seconds it will take to type the commands
    > "nslookup -sil www.xxx.yyy.zzz" or (as root) "nmap -sS www.xxx.yyy.zzz" ?
    >




  20. Re: Funny Lines in Access_log


    "noEMA" wrote in message
    newsan.2006.03.23.01.56.51.124483@NoHost.NoCountry...
    > On Wed, 22 Mar 2006 23:42:31 +0000, Doug Holtz NOSPAM in adress wrote:
    >
    >> Grant;
    >>
    >> My CentOS 4.3 box has the following ports open: 80, 111, 139, 443, 445,
    >> 941, and 6000. Only 941 is unknown. My router has only the 4-5 ports
    >> open I need.
    >>
    >> Seems OK as of now.
    >>
    >> Any comments welcome.
    >>
    >> Doug
    >>

    > ==================================================
    > Hello. To identify the process responsible for the use
    > of port 941, I propose the lsof utility.
    >
    > As root on your host type :
    > # /usr/sbin/lsof -P | grep 941
    >
    > As an example (on my local host) with port 8118 (used by privoxy)
    >
    > # /usr/sbin/lsof -P | grep 8118
    > privoxy 4530 privoxy 3u IPv4 8353293
    >
    > # cat /etc/services | grep 8118
    > Privoxy 8118/tcp # Privacy Proxy
    >
    > ==================================================
    >
    > Now, amongst your port list, you say 111. This Sun's RPC PortMapper.
    >
    > This is used to assign ports to NFS networking.
    > Since I do not see in your open port list the NFS port being used,
    > Its probably safer to turn off RPC PortMapper.
    >
    > Hope it help.
    >
    >


    noEMA;

    Thanks for the reply. I am not aware of this utility. A little over my
    head. Will learn more in the future.

    Doug



+ Reply to Thread
Page 1 of 2 1 2 LastLast