Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: strange apache log entry

Re: strange apache log entry

From: Axel Beckert <beckert_at_ecos.de>
Date: Mon, 12 Aug 2002 18:53:34 +0200

Hi!

Am Sat, Aug 10, 2002 at 06:50:15PM +0200, narga_at_gmx.net schrieb:
> Yesterday I saw this in my logs (apache 2.0.39 acces_log):
> ::1 - - [10/Aug/2002:00:25:56 +0200] "CONNECT :::2121 HTTP/1.1" 400 267
> ::1 - - [10/Aug/2002:00:33:31 +0200] "CONNECT :::2121 HTTP/1.1" 400 267
>
> error_log:
> [Sat Aug 10 00:25:56 2002] [error] [client ::1] request failed: error
> reading the
> headers
> [Sat Aug 10 00:33:31 2002] [error] [client ::1] request failed: error
> reading the
> headers
>
> It seems like someone wants to connect to my port 2121

I wouldn't be sure about that.

> through a proxy. The strange thing is, that there isn't any ip.

There are IPs. '::1' is the IPv6 IP for 'localhost', to which this
hostname resolves first on a SuSE 8.0 (and if that fails, it resolves
to '127.0.0.1').

Which means that it's very likely that this request came from one of
your applications.

> My firewall (SuSEfirewall, an ipchains based firewall from suse),
> didn't log anything, snort didn't log anything too. I wasn't able to
> reproduce this by sending the request manually to port 80.

Try 'telnet localhost 80' and then enter 'CONNECT :::2121
HTTP/1.1\n\n', it should reproduce the log entries.

If those log entries become annoying, just comment out the IPv6 IPs
form /etc/hosts and they should disappear.
 
> My question: is this a bug in apache, or what else happened?

Maybe the Apache isn't capable of IPv6 IP addresses (don't guess so)
or the client which issued the request has sent a malformed request.

            Kind regards, Axel Beckert 

-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckert_at_ecos.de         Voice:    +49 6133 926530
WWW:        http://www.ecos.de/     Fax:      +49 6133 925152
-------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Aug 12 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos