Sonntag, 19. April 2015

Apache CONNECT

Since the starting of the honeypot I have seeen many "CONNECT <url>" entrys within the access.log file. Now, after doing a bit of investigation, these commands belongs to mod_proxy and can be used to force a GET of the url via your server if the mod_proxy module is used.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_connect.html

Beloved targets according to my log files are:
126mx00.mxmail.netease.com:25
126mx01.mxmail.netease.com:25
126mx02.mxmail.netease.com:25
163mx00.mxmail.netease.com:25
163mx01.mxmail.netease.com:25
developer.apple.com:443
mx-tw.mail.gm0.yahoodns.net:25
vip163mx00.mxmail.netease.com:25
vip163mx01.mxmail.netease.com:25
www.alipay.com:443
www.microsoftstore.com.cn:443
 According to the link above, you should run mod_proxy only if your system is hardened.