The last few days, I’ve been ‘tail -f’ing (no, it’s not what you think) the webserver logs just to see what kind of traffic the server gets. Most of it is internal, lots of spiders and web crawlers, and more than a few crack attempts. Then this morning I saw one I’d never seen before
211.21.44.211 - - [20/Oct/2003:08:31:32 -0400] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 9612 "-" "-"A Google search yielded many promising results including this very informative one.
netstat or ps didn’t reveal anything usual at the time. A lookup of the IP told me the IP address was part of a block registered to Cool Er Ke Ji Ltd in Taipei, Taiwan. A portscan of the offending machine didn’t reveal any open ports out of the ordinary.
Well, I’m pretty sure my server is still reasonably secure. A couple of mods to my server config should keep anybody from trying to use it as a proxy server. A lesson to sysadmins: Keep an eye on those logs.
Discover more from Imablog
Subscribe to get the latest posts sent to your email.
Hi!
I just came by via the page you refer to…
If you just take a look at “1.3.3.7” it is the scriptkiddie-translation for “leet” – also the port. So it’s kinda open port / exploit scanner I think. I scanned my logs for it and there are numerous of these entries…