LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-20-2005, 12:26 PM   #1
Buckyjunior
Member
 
Registered: Jul 2003
Distribution: Kubuntu Hardy
Posts: 76

Rep: Reputation: 15
Question "CONNECT" through http?


Kinda new here so please forgive me if my question is incomplete. I've also searched for something similar (with no luck) but if there is another thread, please point me there.

My access logs seem to show some test of access and then connecting through my Fedora C2 install to other locations. E.g., with false ip addresses

1.2.3.4 - - [14/Feb/2005:06:53:00 -0700] "CONNECT smtp.NAME.ru:25 HTTP/1.0" 405 314 "-" "-"

This one produces an error (405), but some others seem to succeed.

5.6.7.8 - - [17/Feb/2005:17:48:08 -0700] "9.a.b.c / HTTP/1.1" 405 - "-" "-"
5.6.7.8 - - [17/Feb/2005:17:48:12 -0700] "GET http://www.yahoo.com/ HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

The first entry produces an error, but the second seems to go through my machine. I've been using iptables to DROP each ip when I see a new one in my log file.

Am I guessing correctly that someone may be "using" my machine/IP to log in elsewhere? Do I need to look more closely at iptables to thwart exterior "forwarding?" Should I be doing something else?

Thanks all. I've still got a lot to learn.
Bucky
 
Old 02-20-2005, 03:26 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: "CONNECT" through http?

1.2.3.4 - - [14/Feb/2005:06:53:00 -0700] "CONNECT smtp.NAME.ru:25 HTTP/1.0" 405 314 "-" "-"
This is a proxy attempt to a mail server. More than likely a spammer looking for someone to relay mail. The 405 indicates it failed.

5.6.7.8 - - [17/Feb/2005:17:48:12 -0700] "GET http://www.yahoo.com/ HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Again, someone looking for open proxies. This time it's a http proxy attempt. Apache has an odd behavior for these types of requests. The 200 status code normally indicates a successfull attempt, but the default Apache behavior is to return your default homepage or index.html instead of whatever page they were try to get via proxy (in this case www.yahoo.com). So while the status code looks like the proxy was successful, to the person making proxy attempts it really failed. You can verify this by looking at the size of the page returned to them (1318 bytes) and compare that to the size of index.html.

By default most Apache installs have all of the proxy functions disabled and you have to specifically enable them in the config file, which isn't something you could normally do by accident. You can use something like mod_rewrite to specifically return 400 status codes, but that can really cause more problems than it solves, especially since these attempts are failing anyway. Hope that helps.

Last edited by Capt_Caveman; 02-20-2005 at 03:27 PM.
 
Old 02-20-2005, 04:06 PM   #3
Buckyjunior
Member
 
Registered: Jul 2003
Distribution: Kubuntu Hardy
Posts: 76

Original Poster
Rep: Reputation: 15
Thanks Cap'n,

I appreciate your thoughtful, thorough reply. I understand a bit more than I did this morning.

I also need to add "Security references" in the Security Forum to my lengthening reading list.

It's good to know that I haven't made too many errors, but I'll continue to DROP the IPs of those making the attempt.

Bucky
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
Where is the Embedded Linux "HOWTO" at http://www.tldp.org ? t3gah General 14 06-06-2005 06:35 AM
web surfing problem... i have to type in "http://" fatrandy13 Linux - Software 8 05-23-2005 02:48 AM
"socks5" -> "http" proxy protocol, or ssh tunnel to sock5 ? I'm beyond http p vmicho Linux - Networking 2 12-16-2003 05:32 AM
Apache Related: "http://host/~user" instead of "http://host/~user/" ? scrawl Linux - Software 2 05-19-2003 12:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration