Randy, there have been two correct responses on this topic out of 6 total posts (including Rick's original question, and your post I quote below). Crumbs, make that 7 total posts, including this one.
The only important part of the request is the method "CONNECT". The numbers are irrelevant, as the requestor is only interested in seeing the response by the server. Again, the purpose is to determine if your a web server is willing to "tunnel" requests, or to go fetch them on behalf of the client who's asking. On Mon, 16 Jun 2003, Randy M. Nash wrote: |Lots of replies, but who has the link or source with |proof for this code? | |--- Rick Hoekman <[EMAIL PROTECTED]> wrote: |> Thanks.. My guess is this is to check whether a |> webserver is WebDAV |> enabled and exploitable? |> |> Rick |> |> |> Monday, June 16, 2003, 10:49:54 PM, you wrote: |> |> BV> Someone is testing your site to see if the web |> server software supports |> BV> CONNECT tunneling. If it's not supported it |> will return an error, which |> BV> is why a fake IP address such as 1.3.3.7 can be |> supplied. |> |> BV> ------ |> BV> Ben Vaughn |> BV> Security Analyst |> BV> Blackbird Technologies |> BV> 703-796-1438 W / 703-582-4551 C |> BV> [EMAIL PROTECTED] |> BV> ------ |> |> |> BV> -----Original Message----- |> BV> From: Randy M. Nash |> [mailto:[EMAIL PROTECTED] |> BV> Sent: Monday, June 16, 2003 1:07 PM |> BV> To: Rick Hoekman; [EMAIL PROTECTED] |> BV> Subject: Re: Strange log entry |> |> |> BV> Hmm... 1.3.3.7. I haven't seen it, but it's |> BV> obviously haxor-speak for 'lite. |> |> BV> Probe? Trojan? Thoughts? |> |> BV> Randy |> BV> --- Rick Hoekman <[EMAIL PROTECTED]> wrote: |> >> Might be offtopic but anyone seen this line in |> >> webserver logs |> >> and knows what it is? |> >> |> >> 192.168.1.1 - - [16/Jun/2003:17:33:50 +0200] |> >> "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 230 "-" "-" |> >> |> >> Rick |> >> |> |> |> BV> ===== |> BV> Randy M. Nash |> BV> @RISK Online |> BV> http://www.atriskonline.com |> |> BV> __________________________________ |> BV> Do you Yahoo!? |> BV> SBC Yahoo! DSL - Now only $29.95 per month! |> BV> http://sbc.yahoo.com |> | | |===== |Randy M. Nash |@RISK Online |http://www.atriskonline.com | |__________________________________ |Do you Yahoo!? |SBC Yahoo! DSL - Now only $29.95 per month! |http://sbc.yahoo.com |
