Comments on: Lock Your Doors http://sixohthree.com/162/lock-your-doors The Weblog of Adam Backstrom Sun, 01 Jan 2012 21:48:11 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jemshad O K http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-94 Jemshad O K Sun, 12 Sep 2004 04:45:50 +0000 /?p=162#comment-94 well, of late, I also started seeing the same thing on our servers. What we do now is to block the CONNECT requests <location />   <limit CONNECT>     Order deny,allow     Deny from all   </limit> </location> Then, these programs started using GET with something like this "GET http://yahoo.com HTTP/1.0" 200 The servers are not serving any proxy requests, still request like CONNECT come from lot of different IPs. well, of late, I also started seeing the same thing on our servers. What we do now is to block the CONNECT requests

<location />
  <limit CONNECT>
    Order deny,allow
    Deny from all
  </limit>
</location>

Then, these programs started using GET with something like this

“GET http://yahoo.com HTTP/1.0″ 200

The servers are not serving any proxy requests, still request like CONNECT come from lot of different IPs.

]]> By: matt http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-85 matt Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-85 Heh, keeping me off blogroll until I fix my page? -//\att Heh, keeping me off blogroll until I fix my page?

-//\att

]]> By: Adam Backstrom http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-86 Adam Backstrom Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-86 Aww, you noticed. =) Aww, you noticed. =)

]]> By: matt http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-87 matt Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-87 The real question. Will you let me back on when my blog no longer sucks? The real question. Will you let me back on when my blog no longer sucks?

]]> By: Adam Backstrom http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-88 Adam Backstrom Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-88 Of course! As of right now, though, it's stale and an eyesore. :-* A little TLC would do it good. Of course! As of right now, though, it’s stale and an eyesore. :-* A little TLC would do it good.

]]> By: //\att http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-89 //\att Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-89 hehe. As soon as our broadband is set up, I'll work on it... so probably some time next year. hehe. As soon as our broadband is set up, I’ll work on it… so probably some time next year.

]]> By: antifumo http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-90 antifumo Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-90 How you can say that BackOrifice and SubSeven are running if their ports are "filtered"? This means, no answer from the host when connecting on the port, even not an ICMP packet saying that the port is closed. How you can say that BackOrifice and SubSeven are running if their ports are “filtered”? This means, no answer from the host when connecting on the port, even not an ICMP packet saying that the port is closed.

]]> By: Adam Backstrom http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-91 Adam Backstrom Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-91 Yes, that's why I corrected myself in the update. Yes, that’s why I corrected myself in the update.

]]> By: Jason Rumney http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-92 Jason Rumney Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-92 Interestingly, back in about April or May, I was getting frequent (two or three per day) attempts to use CONNECT to connect to port 25 on hotmail, yahoo and aol servers. About the time that CONNECT 1.3.3.7 1337 attempts started, the others suddenly stopped, so I think it is likely to be an updated version of the software a certain spammer (given how sudden the switch was, I'd say one spammer who has exploited many machines around the world) which probes a non-existent address before launching the real attack. Why would they do this? Perhaps to detect honeypots like you're proposing. Since 1.3.3.7 is a non-existent address, you'd be best faking it to look like CONNECT is supported, but the connection failed (some 4xx return code instead of a 500), then see what happens next. For the breif period that both types of probe were occuring, all the 1.3.3.7 ones seemed to be coming from Lappland, Finland and the Baltic States, so that may provide some clue as to the location of the spammer if they were testing the new software from their own machines using throwaway dialup accounts in the region. Interestingly, back in about April or May, I was getting frequent (two or three per day) attempts to use CONNECT to connect to port 25 on hotmail, yahoo and aol servers. About the time that CONNECT 1.3.3.7 1337 attempts started, the others suddenly stopped, so I think it is likely to be an updated version of the software a certain spammer (given how sudden the switch was, I’d say one spammer who has exploited many machines around the world) which probes a non-existent address before launching the real attack.

Why would they do this? Perhaps to detect honeypots like you’re proposing. Since 1.3.3.7 is a non-existent address, you’d be best faking it to look like CONNECT is supported, but the connection failed (some 4xx return code instead of a 500), then see what happens next.

For the breif period that both types of probe were occuring, all the 1.3.3.7 ones seemed to be coming from Lappland, Finland and the Baltic States, so that may provide some clue as to the location of the spammer if they were testing the new software from their own machines using throwaway dialup accounts in the region.

]]> By: Imablog http://sixohthree.com/162/lock-your-doors/comment-page-1#comment-93 Imablog Thu, 01 Jan 1970 00:00:00 +0000 /?p=162#comment-93 <trackback><strong>Interesting web server log entries</strong> The last few days, I've been 'tail -f'ing (no, it's not what you think) the webserver logs just to see what kind of traffic the server gets. Most of it is internal, lots of spiders and web crawlers, and more... Interesting web server log entries
The last few days, I’ve been ‘tail -f’ing (no, it’s not what you think) the webserver logs just to see what kind of traffic the server gets. Most of it is internal, lots of spiders and web crawlers, and more… ]]>