|

Unusual entry in Apache logs

View: New views

8 Messages — Rating Filter: Alert me

	Unusual entry in Apache logs by Neil Dickey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have of late seen a few entries such as this ... 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" ... in my Apache webserver logs. They are the only entry in the log for the particular source IP; that is, they don't represent an anomaly in an otherwise normal session. Such entries record the only contact made by the source IP. GOOGLE hasn't told me anything interesting; does anyone know what this is? Many thanks for any ideas. Best regards, Neil Dickey, Ph.D. email: neil@... Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois, U.S.A. 60115
	Re: Unusual entry in Apache logs by Jonathan Adams-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Neil, take a look at this: http://www.honeynet.org/scans/scan31/sol/ On Thu, May 29, 2008 at 5:54 PM, Neil Dickey <neil@...> wrote: > > I have of late seen a few entries such as this ... > > 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" > > ... in my Apache webserver logs. They are the only entry in > the log for the particular source IP; that is, they don't > represent an anomaly in an otherwise normal session. Such > entries record the only contact made by the source IP. > > GOOGLE hasn't told me anything interesting; does anyone know > what this is? > > Many thanks for any ideas. > > Best regards, > > Neil Dickey, Ph.D. > email: neil@... > Research Associate/Sysop > Geology Department > Northern Illinois University > DeKalb, Illinois, U.S.A. > 60115 > -- ___________________________ Jon Adams web: http://www.scis.nova.edu/~jonaadam mail: keirre.adams@... --------------------------------------------- "Strength does not come from physical capacity. It comes from an indomitable will." - Mohandas Gandhi
	Re: Unusual entry in Apache logs by Jonathan Adams-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Also found this http://lists.sans.org/pipermail/list/2003-March/007209.html and this http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-04/0281.html which led to this http://www.kb.cert.org/vuls/id/150227 On Thu, May 29, 2008 at 7:45 PM, Jonathan Adams <keirre.adams@...> wrote: > Neil, > > take a look at this: > > http://www.honeynet.org/scans/scan31/sol/ > > On Thu, May 29, 2008 at 5:54 PM, Neil Dickey <neil@...> wrote: >> >> I have of late seen a few entries such as this ... >> >> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" >> >> ... in my Apache webserver logs. They are the only entry in >> the log for the particular source IP; that is, they don't >> represent an anomaly in an otherwise normal session. Such >> entries record the only contact made by the source IP. >> >> GOOGLE hasn't told me anything interesting; does anyone know >> what this is? >> >> Many thanks for any ideas. >> >> Best regards, >> >> Neil Dickey, Ph.D. >> email: neil@... >> Research Associate/Sysop >> Geology Department >> Northern Illinois University >> DeKalb, Illinois, U.S.A. >> 60115 >> > > > > -- > ___________________________ > Jon Adams > > web: http://www.scis.nova.edu/~jonaadam > mail: keirre.adams@... > --------------------------------------------- > > "Strength does not come from physical capacity. It comes from an > indomitable will." - > Mohandas Gandhi > -- ___________________________ Jon Adams web: http://www.scis.nova.edu/~jonaadam mail: keirre.adams@... --------------------------------------------- "Strength does not come from physical capacity. It comes from an indomitable will." - Mohandas Gandhi
	Re: Unusual entry in Apache logs by krymson-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Probably a socks proxy scan. <- snip -> I have of late seen a few entries such as this ... 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" ... in my Apache webserver logs. They are the only entry in the log for the particular source IP; that is, they don't represent an anomaly in an otherwise normal session. Such entries record the only contact made by the source IP. GOOGLE hasn't told me anything interesting; does anyone know what this is? Many thanks for any ideas. Best regards, Neil Dickey, Ph.D. email: neil (at) geol.niu (dot) edu [email concealed] Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois, U.S.A. 60115
	Re: Unusual entry in Apache logs by Kosala Atapattu-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message If you don't mind can you tell us your apache version. I once managed to reproduced the same result with apache 2.0 but with 2.2 it's not working. Kosala On Fri, May 30, 2008 at 12:54 AM, Neil Dickey <neil@...> wrote: > > I have of late seen a few entries such as this ... > > 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" > > ... in my Apache webserver logs. They are the only entry in > the log for the particular source IP; that is, they don't > represent an anomaly in an otherwise normal session. Such > entries record the only contact made by the source IP. > > GOOGLE hasn't told me anything interesting; does anyone know > what this is? > > Many thanks for any ideas. > > Best regards, > > Neil Dickey, Ph.D. > email: neil@... > Research Associate/Sysop > Geology Department > Northern Illinois University > DeKalb, Illinois, U.S.A. > 60115 > -- Kosala -------------------------------------------- Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. -------------------------------------------- blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
	Re: Unusual entry in Apache logs by Rob Thomas-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Neil. > 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" This IP has been sending spam since at least 2008-04-24 15:34:38 UTC. It's also been scanning for the typical proxy ports lately (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080, and TCP 80. I suspect this is what it was doing when it visited your server. Possibly it's a bot. Thanks, Rob. -- Rob Thomas Team Cymru The WHO and WHY team http://www.team-cymru.org/
	Re: Unusual entry in Apache logs by Kevin Day-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On May 30, 2008, at 1:59 PM, Rob Thomas wrote: > Hi, Neil. > >> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 >> 3100 "-" "-" > > This IP has been sending spam since at least 2008-04-24 15:34:38 > UTC. It's also been scanning for the typical proxy ports lately > (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, > TCP 1080, and TCP 80. I suspect this is what it was doing when it > visited your server. Possibly it's a bot. It's almost definitely looking for a proxy server - a SOCKS 5 connect attempt will start with the characters 0x05 0x01, followed by a 0x00 which I believe Apache interprets as the end of the request. The SOCKS request is formed as follows: +----+-----+-------+------+----------+----------+ \|VER \| CMD \| RSV \| ATYP \| DST.ADDR \| DST.PORT \| +----+-----+-------+------+----------+----------+ \| 1 \| 1 \| X'00' \| 1 \| Variable \| 2 \| +----+-----+-------+------+----------+----------+ Where: o VER protocol version: X'05' o CMD o CONNECT X'01' -- Kevin
	Re: Unusual entry in Apache logs by Neil Dickey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Rob Thomas <robt@...> wrote: >> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-" > >This IP has been sending spam since at least 2008-04-24 15:34:38 UTC. >It's also been scanning for the typical proxy ports lately (most >recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080, >and TCP 80. I suspect this is what it was doing when it visited your >server. Possibly it's a bot. Thanks Rob, and to all the others -- not few in number -- who wrote on and off the list with ideas and links. I have seen some CONNECT attempts in my logs, trying to make contact with remote mail servers, but had never made the connection myself between them and the "\x05\x01" entries. It does seem that someone is looking for open proxies, as all but all of you indicated. Our website is a simple one, and I have everything turned off that isn't being used. Proxies are completely disabled and I don't allow the CONNECT verb, among others. It looks like my ( paranoid ) policies are paying off. Thanks again to all. Best regards, Neil Dickey, Ph.D. email: neil@... Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois, U.S.A. 60115