Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unusual entry in Apache logs

from [Kevin Day] Network Security [Permanent Link]
Subject: Re: Unusual entry in Apache logs
Date: Fri, 30 May 2008 15:21:05 -0500 

On May 30, 2008, at 1:59 PM, Rob Thomas wrote:

Hi, Neil.

125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"

This IP has been sending spam since at least 2008-04-24 15:34:38 UTC. It's also been scanning for the typical proxy ports lately (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080, and TCP 80. I suspect this is what it was doing when it visited your server. Possibly it's a bot.


It's almost definitely looking for a proxy server - a SOCKS 5 connect attempt will start with the characters 0x05 0x01, followed by a 0x00 which I believe Apache interprets as the end of the request.

   The SOCKS request is formed as follows:

        +----+-----+-------+------+----------+----------+
        |VER | CMD |  RSV  | ATYP | DST.ADDR | DST.PORT |
        +----+-----+-------+------+----------+----------+
        | 1  |  1  | X'00' |  1   | Variable |    2     |
        +----+-----+-------+------+----------+----------+

     Where:

          o  VER    protocol version: X'05'
          o  CMD
             o  CONNECT X'01'
-- Kevin

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unusual entry in Apache logs, Neil Dickey
Next by Date:  [Tool] PktAnon packet trace anonymization tool released, Christoph Mayer
Previous by Thread:  Re: Unusual entry in Apache logs, Rob Thomas
Next by Thread:  Re: Unusual entry in Apache logs, krymson
Indexes:  [Date] [Thread] [Top] [All Lists]