web server attack
Frank Laszlo
laszlof at vonostingroup.com
Thu Apr 6 23:00:38 UTC 2006
Chuck Swiger wrote:
> fbsd_user wrote:
> [ ... ]
>> Does anyone know what this is and what I can do to stop it
>> besides adding the ip address to my firewall block rules?
>
> I suppose that someone is trying to exploit mod_proxy to connect to an
> SMTP server (that's the "CONNECT 4.79.181.15:25" part), or at least
> get HTTP replies back.
>
> Make sure you don't have mod_proxy enabled in Apache....
>
>> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 -0400]
>> "\x04\x01" 200 0 "-" "-"
>> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400]
>> "\x05\x01" 200 0 "-" "-"
>> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400]
>> "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-"
>> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 -0400]
>> "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0
>> (compatible; MSIE 5.00; Windows 98)"
>
Setup mod_security to block that type of request. Any chance you can
capture some packets and send a link? I'd like to take a look at it.
-Frank
More information about the freebsd-questions
mailing list