Re: HTTP over SSH probes?

To: debian-security@lists.debian.org
Subject: Re: HTTP over SSH probes?
From: sfritsch@ph.tum.de
Date: Fri, 3 Jun 2005 15:48:32 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.62.0506031543250.32443@down.t30.physik.tu-muenchen.de>
In-reply-to: <[🔎] Pine.LNX.4.61.0506030833250.7478@boater.Princeton.EDU>
References: <[🔎] Pine.LNX.4.61.0506030833250.7478@boater.Princeton.EDU>

Hi!

Example:
Jun 2 17:46:42 benjo sshd[17291]: Bad protocol version identification 'GEThttp://www.sciencedirect.com/ HTTP/1.1' from ::ffff:202.207.192.30
The IP in this case seems to be in China.
As far as I can tell nothing is listening at www.sciencedirect.com:22. Theweb site on port 80 at www.sciencedirect.com is a self-proclaimed "digitallibrary" of some sort.
But why would random IPs be requesting sciencedirect.com at my workstationwhich has nothing to do with it? Even for a worm that doesn't make anysense.

For university wide subsciptions at sciencedirect it is sometimesnecessary to use a special proxy server. If it is only one source IP,maybe someone has put a typo in his proxy configuration. If it are manysource IPs but from only one or very few networks, maybe there is a typoin some proxy autoconfiguration file somewhere. Or it is a braindeadattempt to find a misconfigured proxy that has sciencedirect subscription.


Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: HTTP over SSH probes? [solved?]
  - From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>

References:
- HTTP over SSH probes?
  - From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>

Prev by Date: Re: HTTP over SSH probes?
Next by Date: Re: Please allow drupal 4.5.3-1
Previous by thread: Re: HTTP over SSH probes?
Next by thread: Re: HTTP over SSH probes? [solved?]
Index(es):
- Date
- Thread