Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-20-2005, 12:26 PM   #1
Registered: Jul 2003
Distribution: Kubuntu Hardy
Posts: 76

Rep: Reputation: 15
Question "CONNECT" through http?

Kinda new here so please forgive me if my question is incomplete. I've also searched for something similar (with no luck) but if there is another thread, please point me there.

My access logs seem to show some test of access and then connecting through my Fedora C2 install to other locations. E.g., with false ip addresses - - [14/Feb/2005:06:53:00 -0700] "CONNECT HTTP/1.0" 405 314 "-" "-"

This one produces an error (405), but some others seem to succeed. - - [17/Feb/2005:17:48:08 -0700] "9.a.b.c / HTTP/1.1" 405 - "-" "-" - - [17/Feb/2005:17:48:12 -0700] "GET HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

The first entry produces an error, but the second seems to go through my machine. I've been using iptables to DROP each ip when I see a new one in my log file.

Am I guessing correctly that someone may be "using" my machine/IP to log in elsewhere? Do I need to look more closely at iptables to thwart exterior "forwarding?" Should I be doing something else?

Thanks all. I've still got a lot to learn.
Old 02-20-2005, 03:26 PM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: "CONNECT" through http? - - [14/Feb/2005:06:53:00 -0700] "CONNECT HTTP/1.0" 405 314 "-" "-"
This is a proxy attempt to a mail server. More than likely a spammer looking for someone to relay mail. The 405 indicates it failed. - - [17/Feb/2005:17:48:12 -0700] "GET HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Again, someone looking for open proxies. This time it's a http proxy attempt. Apache has an odd behavior for these types of requests. The 200 status code normally indicates a successfull attempt, but the default Apache behavior is to return your default homepage or index.html instead of whatever page they were try to get via proxy (in this case So while the status code looks like the proxy was successful, to the person making proxy attempts it really failed. You can verify this by looking at the size of the page returned to them (1318 bytes) and compare that to the size of index.html.

By default most Apache installs have all of the proxy functions disabled and you have to specifically enable them in the config file, which isn't something you could normally do by accident. You can use something like mod_rewrite to specifically return 400 status codes, but that can really cause more problems than it solves, especially since these attempts are failing anyway. Hope that helps.

Last edited by Capt_Caveman; 02-20-2005 at 03:27 PM.
Old 02-20-2005, 04:06 PM   #3
Registered: Jul 2003
Distribution: Kubuntu Hardy
Posts: 76

Original Poster
Rep: Reputation: 15
Thanks Cap'n,

I appreciate your thoughtful, thorough reply. I understand a bit more than I did this morning.

I also need to add "Security references" in the Security Forum to my lengthening reading list.

It's good to know that I haven't made too many errors, but I'll continue to DROP the IPs of those making the attempt.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
Where is the Embedded Linux "HOWTO" at ? t3gah General 14 06-06-2005 06:35 AM
web surfing problem... i have to type in "http://" fatrandy13 Linux - Software 8 05-23-2005 02:48 AM
"socks5" -> "http" proxy protocol, or ssh tunnel to sock5 ? I'm beyond http p vmicho Linux - Networking 2 12-16-2003 05:32 AM
Apache Related: "http://host/~user" instead of "http://host/~user/" ? scrawl Linux - Software 2 05-19-2003 12:02 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:47 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration