OT: mod_ssl (apache) log entries -- wtf?

To: debian-user@lists.debian.org
Subject: OT: mod_ssl (apache) log entries -- wtf?
From: Will Trillich <will@serensoft.com>
Date: Thu, 20 Feb 2003 01:56:40 -0600
Message-id: <[🔎] 20030220075640.GA13688@mail.serensoft.com>
Mail-followup-to: debian-user@lists.debian.org

i've got apache offering ssl on port :443, but haven't published
that fact anywhere -- yet i've gotten a hit from mit.edu, and
it's not even a from-the-top entry?

i've got apache-perl going, and mod_ssl is even cooperating.
so, all is wonderful in linux-land...

the secure port is not published anywhere on any pages on the
rest of my site, so i'm testing and plugging away all by myself
without any interlopers cluttering up my traffic -- or so i
thought:

<snip>
[19/Feb/2003:15:15:45 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10947
[19/Feb/2003:15:16:33 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10968
[19/Feb/2003:15:18:15 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10941
[19/Feb/2003:15:18:39 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3523

heavy testing, as you can see -- the byte count changes altho
the request stays the same. :)

at any rate, the log continues...

[19/Feb/2003:15:18:39 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /std.css HTTP/1.1" 2431
[19/Feb/2003:15:18:40 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /gray.css HTTP/1.1" 965
[19/Feb/2003:15:18:40 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /green.css HTTP/1.1" 1091
[19/Feb/2003:15:19:59 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3535
[19/Feb/2003:15:20:52 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3523
[19/Feb/2003:15:22:22 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3520
[19/Feb/2003:15:22:54 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3535
<snip>

i'm on the lan at 192.168.0.5 -- but 18.*.*.* is mit.edu!

i know any quick port scan will show that :443 is open, but the
evidence here (i think) is that they re-broadcast a request from
just a few minutes previous; it wasn't a casual browse, it was
the exact same request as i had made earlier.

if it was a sequence of "/" -> "/subdir" -> "/subdir/func?stuff"
i'd say someone was being curious. but this was definitely NOT
from-the-top but rather directly into the /search/go area.

what does this mean? are there black hats involved? (maybe even
a gray fedora?)

-- 
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
 
DEBIAN NEWBIE TIP #108 from Rogerio Brito <rbrito@ime.usp.br>
:
Hoping to GENERATE DIGITAL ALBUMS? To do this, I use photoaddict
(http://photoaddict.sourceforge.net/). It uses convert
internally.

Also see http://newbieDoc.sourceForge.net/ ...

Reply to:

Follow-Ups:
- Re: OT: mod_ssl (apache) log entries -- wtf?
  - From: sean finney <seanius@seanius.net>

Prev by Date: Re: Gnome2.2 backport for Debian Woody available for download
Next by Date: Re: USB mass storage and kernel 2.4.18
Previous by thread: Test (ignore safely)
Next by thread: Re: OT: mod_ssl (apache) log entries -- wtf?
Index(es):
- Date
- Thread