[Dshield] Scan of my webserver

Coxe, John B. JOHN.B.COXE at saic.com
Wed Mar 5 00:44:26 GMT 2003


Refer to section 9.9 of RFC 2616 (http://www.faqs.org/rfcs/rfc2616.html) for
HTTP/1.1.

<<9.9 CONNECT

   This specification reserves the method name CONNECT for use with a
   proxy that can dynamically switch to being a tunnel (e.g. SSL
   tunneling [44]).

   [44] Luotonen, A., "Tunneling TCP based protocols through Web proxy
        servers," Work in Progress. [jg647]>>

Your 200 response indicates your are running apache as an open smtp
anonymous relay.

I don't know what significance those cntl-D cntl-A and cntl-E cntl-A are;
but they were also successful apparently.


-----Original Message-----
From: Patrick Andry [mailto:patrick at goodbadmovies.com]
Sent: Tuesday, March 04, 2003 12:30 PM
To: General DShield Discussion List
Subject: [Dshield] Scan of my webserver


Has anyone seen this before, and what is it attempting to do?
I haven't been able to find much information on Google regarding this
scan.  Manually attempting the same commands comes up 404.

Apache 1.3.x logs:

x.x.x.x - - [23/Feb/2003:16:11:45 -0500] "\x04\x01" 200 5533
x.x.x.x - - [23/Feb/2003:16:12:06 -0500] "\x05\x01" 200 5533
x.x.x.x - - [23/Feb/2003:16:12:07 -0500] "CONNECT 64.157.4.82:25
HTTP/1.1" 200 5553
-- 
Patrick Andry <patrick at goodbadmovies.com>

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list