Apache 1.3.33 strange log entry

Apache 1.3.33 strange log entry
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Apache 1.3.33 strange log entry stefanPL 02-28-2005
Posted by stefanPL on February 28, 2005, 1:56 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I found this strange entry in my Apache log, can anyone explain it to
me and tell me is it dangerous and how can I secure against it?

61.31.158.236 - - [28/Feb/2005:22:39:29 +0100] "CONNECT
news98.idv.tw:25 HTTP/1.0" 200 3853 "-" "-"

I guess someone is trying to use my computer as a mail server, but I
don't have mail server installed. Maybe there is a Windows XP hole that
makes it possible to use Win XP as a mail server remotely or sth like
that.

My computer is visible on the Internet on port 80 (www), I use it to
test my web pages and show them to other testers so I need externeal
(static) IP number.
My Apache 1.3.33 also has PHP 4.3.9 support.

Please advise
Chris



Posted by Walter Roberson on February 28, 2005, 10:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
:I found this strange entry in my Apache log, can anyone explain it to
:me and tell me is it dangerous and how can I secure against it?

:61.31.158.236 - - [28/Feb/2005:22:39:29 +0100] "CONNECT
:news98.idv.tw:25 HTTP/1.0" 200 3853 "-" "-"

:I guess someone is trying to use my computer as a mail server, but I
:don't have mail server installed.

My interpretation is that someone was trying to use your system as
a proxy to a mail server, possibly to be anonymous but possibly
as a spam relay.

:Maybe there is a Windows XP hole that
:makes it possible to use Win XP as a mail server remotely or sth like
:that.

There are a number of proxy servers around that run on port 80
[because port 80 is not often firewalled off.] The person may have been
scanning for such proxies.
--
When your posts are all alone / and a user's on the phone/
there's one place to check -- / Upstream!
When you're in a hurry / and propagation is a worry/
there's a place you can post -- / Upstream!


Posted by Gerald Vogt on March 1, 2005, 8:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
stefanPL wrote:
> I found this strange entry in my Apache log, can anyone explain it to
> me and tell me is it dangerous and how can I secure against it?
>
> 61.31.158.236 - - [28/Feb/2005:22:39:29 +0100] "CONNECT
> news98.idv.tw:25 HTTP/1.0" 200 3853 "-" "-"

Check your apache configuration. Apache reports code 200 which means
success. You should not have proxy tunneling configured. Usually I think
it should report error 405. Only enable what you actually need and not
just everything...

Gerald


Similar ThreadsPosted
How delete protected XP registry entry? December 8, 2005, 7:38 pm
strange requests sent to my WWW April 12, 2006, 4:06 pm
Strange Error Log, then FBI? June 15, 2006, 6:55 pm
Password Dictionary File/ Each Entry is 2 or 3 Words Concatenated? May 1, 2007, 11:24 pm
Strange behavior ... New trojan? May 6, 2004, 7:57 am
Win2k Strange Lockouts July 13, 2004, 5:52 pm
WinXP strange behaviour March 16, 2005, 7:48 am
Strange logon attempts June 14, 2006, 10:55 am
Re: Can't delete registry entry !! (suspected virus / trojan attack !) October 23, 2008, 5:12 pm
Re: Can't delete registry entry !! (suspected virus / trojan attack !) October 23, 2008, 5:49 pm

The site map in XML format XML site map

Contact Us | Privacy Policy