Date: Thu, 06 Apr 2006 19:00:20 -0400 From: Frank Laszlo <laszlof@vonostingroup.com> To: Chuck Swiger <cswiger@mac.com> Cc: fbsd_user@a1poweruser.com, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: web server attack Message-ID: <44359D84.9020000@vonostingroup.com> In-Reply-To: <44358FC6.3050000@mac.com> References: <MIEPLLIBMLEEABPDBIEGAEECHEAA.fbsd_user@a1poweruser.com> <44358FC6.3050000@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > fbsd_user wrote: > [ ... ] >> Does anyone know what this is and what I can do to stop it >> besides adding the ip address to my firewall block rules? > > I suppose that someone is trying to exploit mod_proxy to connect to an > SMTP server (that's the "CONNECT 4.79.181.15:25" part), or at least > get HTTP replies back. > > Make sure you don't have mod_proxy enabled in Apache.... > >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 -0400] >> "\x04\x01" 200 0 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] >> "\x05\x01" 200 0 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] >> "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 -0400] >> "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0 >> (compatible; MSIE 5.00; Windows 98)" > Setup mod_security to block that type of request. Any chance you can capture some packets and send a link? I'd like to take a look at it. -Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44359D84.9020000>