Apache--web hosting logs question

Lenovo / 7269d2u
January 11, 2012 at 07:01:13
Specs: Linux i686), 2.659 GHz / 3071 MB

I have a personal web server setup on my home connection, mainly to increase my knowledge, but also to host a small website I have. I have been looking in the Apache logs and have noticed some strange entries that I am not completely sure about. Here is an example: - - [10/Jan/2012:20:54:26 -0600] "POST HTTP/1.0" 301 340 "-" "-" - - [10/Jan/2012:20:54:38 -0600] "CONNECT HTTP/1.0" 301 329 "-" "-" - - [10/Jan/2012:20:54:40 -0600] "CONNECT HTTP/1.0" 301 328 "-" "-"

I understand that the returned 301 code is a "moved impermanently" indication, but I am a bit confused as to exactly what the client was trying to do. It seems like they were trying to do some sort of redirect? Port 6667 is something used for IRC apparently and 1025 is a MS RPC port. Does anyone know exactly what this is?

If I telnet to my server on port 80 and run this command, I can duplicate the entry in the log. What exactly are they trying to do here though?

Any help is appreciated. Thank you.

See More: Apache--web hosting logs question

Report •

January 11, 2012 at 08:39:11
This is not exactly a linux issue. Might ask this on a web forum.

You could have all sorts of java or other helper scripts that are on this web server.

The internet is full of automated hackers.

Why is that port open? The post seems to suggest to me that they did send data and use it somehow.

10.3.2 301 Moved Permanently

The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.

The new permanent URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 301 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

Note: When automatically redirecting a POST request after
receiving a 301 status code, some existing HTTP/1.0 user agents
will erroneously change it into a GET request.

1/3 of highway deaths are caused by drunks. The rest are by people who can't drive any better than a drunk.

Report •

January 11, 2012 at 09:32:45
I figured the Linux category would be a best fit for this, guess there were other categories to post in.

Those ports are not open on my server, but are commonly exploited.

Again, I can telnet to my web server on port 80 and run the same commands the automated hackers did and see the same results in my logs. I think it is some sort of redirect attempt that failed, but I am not 100% sure.

Report •

Related Solutions

Ask Question