[TriLUG] Any idea what's going on here
Rick DeNatale
rick.denatale at gmail.com
Fri Aug 12 21:42:42 EDT 2005
I was mucking around in my apache logs and found this:
82.96.96.3 - - [07/Aug/2005:21:21:47 -0400] "CONNECT 82.96.96.3:802
HTTP/1.0" 405 363 "-" "-"
82.96.96.3 - - [07/Aug/2005:21:21:47 -0400] "POST
http://82.96.96.3:802/ HTTP/1.0" 200 788 "-" "-"
82.96.96.3 - - [07/Aug/2005:21:28:00 -0400] "CONNECT 82.96.96.3:802
HTTP/1.0" 405 363 "-" "-"
82.96.96.3 - - [07/Aug/2005:21:28:00 -0400] "POST
http://82.96.96.3:802/ HTTP/1.0" 200 788 "-" "-"
These are some strange urls! I understand that there are some spam
relay methods which use connect and post but as I understand them they
use the target machine address and port 25. This guy seems to be
trying to tunnel through my web server to HIS port 802, and what's
port 802 anyway?
I suspect that this might be some kind of whitehat guy probing my
server for a vulnerability, but I don't know if I'm passing or
failing.
Any ideas?
More information about the TriLUG
mailing list