On May 30, 2008, at 1:59 PM, Rob Thomas wrote:
> Hi, Neil.
>
>> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501
>> 3100 "-" "-"
>
> This IP has been sending spam since at least 2008-04-24 15:34:38
> UTC. It's also been scanning for the typical proxy ports lately
> (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128,
> TCP 1080, and TCP 80. I suspect this is what it was doing when it
> visited your server. Possibly it's a bot.
It's almost definitely looking for a proxy server - a SOCKS 5 connect
attempt will start with the characters 0x05 0x01, followed by a 0x00
which I believe Apache interprets as the end of the request.
The SOCKS request is formed as follows:
+----+-----+-------+------+----------+----------+
|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+
Where:
o VER protocol version: X'05'
o CMD
o CONNECT X'01'
-- Kevin
