[Dshield] Scan of my webserver

ALEPH0 aleph0 at pacbell.net
Wed Mar 5 11:19:09 GMT 2003


See section 6 of RFC2616, which explains the response code for the protocol.
Extract below.  Try to be familiar with the specification documents for
services you run.  That is always helpful and essential.

-------------

6.1.1 Status Code and Reason Phrase
The Status-Code element is a 3-digit integer result code of the attempt to
understand and satisfy the request. These codes are fully defined in section
10. The Reason-Phrase is intended to give a short textual description of the
Status-Code. The Status-Code is intended for use by automata and the
Reason-Phrase is intended for the human user. The client is not required to
examine or display the Reason- Phrase.

The first digit of the Status-Code defines the class of response. The last
two digits do not have any categorization role. There are 5 values for the
first digit:


      - 1xx: Informational - Request received, continuing process

      - 2xx: Success - The action was successfully received,
        understood, and accepted

      - 3xx: Redirection - Further action must be taken in order to
        complete the request

      - 4xx: Client Error - The request contains bad syntax or cannot
        be fulfilled

      - 5xx: Server Error - The server failed to fulfill an apparently
        valid request
The individual values of the numeric status codes defined for HTTP/1.1, and
an example set of corresponding Reason-Phrase's, are presented below. The
reason phrases listed here are only
recommendations -- they MAY be replaced by local equivalents without
affecting the protocol.


      Status-Code    =
            "100"  ; Section 10.1.1: Continue
          | "101"  ; Section 10.1.2: Switching Protocols
          | "200"  ; Section 10.2.1: OK
          | "201"  ; Section 10.2.2: Created
          | "202"  ; Section 10.2.3: Accepted
          | "203"  ; Section 10.2.4: Non-Authoritative Information
          | "204"  ; Section 10.2.5: No Content
          | "205"  ; Section 10.2.6: Reset Content
          | "206"  ; Section 10.2.7: Partial Content
          | "300"  ; Section 10.3.1: Multiple Choices
          | "301"  ; Section 10.3.2: Moved Permanently
          | "302"  ; Section 10.3.3: Found
          | "303"  ; Section 10.3.4: See Other
          | "304"  ; Section 10.3.5: Not Modified
          | "305"  ; Section 10.3.6: Use Proxy
          | "307"  ; Section 10.3.8: Temporary Redirect
          | "400"  ; Section 10.4.1: Bad Request
          | "401"  ; Section 10.4.2: Unauthorized
          | "402"  ; Section 10.4.3: Payment Required
          | "403"  ; Section 10.4.4: Forbidden
          | "404"  ; Section 10.4.5: Not Found
          | "405"  ; Section 10.4.6: Method Not Allowed
          | "406"  ; Section 10.4.7: Not Acceptable
          | "407"  ; Section 10.4.8: Proxy Authentication Required
          | "408"  ; Section 10.4.9: Request Time-out
          | "409"  ; Section 10.4.10: Conflict
          | "410"  ; Section 10.4.11: Gone
          | "411"  ; Section 10.4.12: Length Required
          | "412"  ; Section 10.4.13: Precondition Failed
          | "413"  ; Section 10.4.14: Request Entity Too Large
          | "414"  ; Section 10.4.15: Request-URI Too Large
          | "415"  ; Section 10.4.16: Unsupported Media Type
          | "416"  ; Section 10.4.17: Requested range not satisfiable
          | "417"  ; Section 10.4.18: Expectation Failed
          | "500"  ; Section 10.5.1: Internal Server Error
          | "501"  ; Section 10.5.2: Not Implemented
          | "502"  ; Section 10.5.3: Bad Gateway
          | "503"  ; Section 10.5.4: Service Unavailable
          | "504"  ; Section 10.5.5: Gateway Time-out
          | "505"  ; Section 10.5.6: HTTP Version not supported

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Serge Vondandamo
Sent: Tuesday, March 04, 2003 4:07 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Scan of my webserver


Hi Tom,

What does the code 200 represent? As a novice, I will like to grasp any of
this. Is it an internal system process or some kind of magical stuffs? I
will be interested in hearing how the code 200 told you that the connection
succeeded.

Thanks for your clarification,

Regards
Serge

-----Original Message-----
From: Tom Laermans [mailto:tom.laermans at powersource.cx]
Sent: Wednesday, March 05, 2003 12:47 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Scan of my webserver

At 21:29 04/03/2003, you wrote:
>Has anyone seen this before, and what is it attempting to do?
>I haven't been able to find much information on Google regarding this
>scan.  Manually attempting the same commands comes up 404.
>
>Apache 1.3.x logs:
>
>x.x.x.x - - [23/Feb/2003:16:11:45 -0500] "\x04\x01" 200 5533
>x.x.x.x - - [23/Feb/2003:16:12:06 -0500] "\x05\x01" 200 5533
>x.x.x.x - - [23/Feb/2003:16:12:07 -0500] "CONNECT 64.157.4.82:25
>HTTP/1.1" 200 5553

While i don't know about the first 2, the last one is an attempt to connect
to a mailserver using your webserver as an anonymous relay.
Apparently it succeeded, at least that's what code 200 tells me, which
gives me the impression you're running the proxy module and are wide open
to the world.

Tom

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list