[TriLUG] Any idea what's going on here

Michael Tharp gxti at partiallystapled.com
Fri Aug 12 21:50:32 EDT 2005


Rick DeNatale wrote:

>I was mucking around in my apache logs and found this:
>
>82.96.96.3 - - [07/Aug/2005:21:21:47 -0400] "CONNECT 82.96.96.3:802
>HTTP/1.0" 405 363 "-" "-"
>82.96.96.3 - - [07/Aug/2005:21:21:47 -0400] "POST
>http://82.96.96.3:802/ HTTP/1.0" 200 788 "-" "-"
>82.96.96.3 - - [07/Aug/2005:21:28:00 -0400] "CONNECT 82.96.96.3:802
>HTTP/1.0" 405 363 "-" "-"
>82.96.96.3 - - [07/Aug/2005:21:28:00 -0400] "POST
>http://82.96.96.3:802/ HTTP/1.0" 200 788 "-" "-"
>
>These are some strange urls!  I understand that there are some spam
>relay methods which use connect and post but as I understand them they
>use the target machine address and port 25.  This guy seems to be
>trying to tunnel through my web server to HIS port 802, and what's
>port 802 anyway?
>
>I suspect that this might be some kind of whitehat guy probing my
>server for a vulnerability, but I don't know if I'm passing or
>failing.
>
>Any ideas?
>  
>
For one, you're passing - the 405 status code is 'method not allowed'
For two, it could be a proxy test for IRC networks or some other service,
or it could be a {black|white}hat scanning you.
In fact, if you reverse the DNS, you get 
please.read.http.proxyscan.freenode.net, so I'd say it's IRC related ;)



More information about the TriLUG mailing list