[Dshield] Apache Question

Joel Esler esler at knology.net
Thu May 12 01:26:14 GMT 2005


that actually wasn't my signature block in it...  but that brings up a 
good idea.  Time to deploy my trusty "IRC on non-standard ports" 
signatures..

(this wasn't my network, it was a network i am monitoring..)

Thanks all for your responses.  i guess the thing that concerned me was 
the "200" response on the POST..

J

On May 11, 2005, at 6:27 PM, David Cannings wrote:

> Jim McCullough wrote:
>> On 5/11/05, Joel Esler <esler at knology.net> wrote:
>>> 82.96.96.3 - - [10/May/2005:22:52:59 -0400] "POST
>>> http://82.96.96.3:802/ HTTP/1.0" 200 55296 "-" "-" 82.96.96.3 - -
>>> [10/May/2005:22:52:59 -0400] "CONNECT 82.96.96.3:802 HTTP/1.0" 405
>>> 329 "-" "-"
>> I've had a few lately myself similar to this.  I am still
>> investigating it on my end, including packet capture for the entire
>> conversation.
>>
>> irc.freenode.net #dshield/#dshielders
>
> And the above IRC channels would be why, rDNS on that IP suggests it is
> the freenode proxy scanner.
>
> David
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list