[Dshield] Curious outbound firewall log entry

Johannes Ullrich jullrich at euclidian.com
Sat Mar 15 03:14:23 GMT 2003


On Fri, 14 Mar 2003 20:12:34 -0500
"Dale Sampson" <dalejsampson at ameritech.net> wrote:

> Linksys firewall log showed the following outbound entry today:
> 
> 3/14/2003 11:10:16.936
> Source: 192.168.1.2:2502
> Dest: 211.167.7.22:1001 

There is a web server running on that port at this IP. So I assume its
a web bug.


nc 211.167.7.22 1001
GET / HTTP/1.0 *

HTTP/1.1 400 Bad Request
Date: Sat, 15 Mar 2003 03:25:52 GMT
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_gzip/1.3.26.1a mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
The request line contained invalid characters following the protocol string.<P>
<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at 127.0.0.1 Port 80</ADDRESS>
</BODY></HTML>




-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the list mailing list