Strange Server Log Entry

Forum Moderators: phranque

Message Too Old, No Replies

Strange Server Log Entry

Finding CONNECT 64.12.202.nn:443 HTTP

grandma genie

2:44 am on Sep 7, 2010 (gmt 0)

This visitor is from Brazil and I found some type of connect attempt numerous times in my server logs. Here are two of the references. What is this visitor trying to do and how do I stop him? I have blocked all IPs starting with 187 from accessing the server. I also blocked the referring IP, which seems to be an AOL address.

187.17.73.nnn - - [06/Sep/2010:16:12:58 -0400] "CONNECT 64.12.202.nn:443 HTTP/1.0" 405 324 "-" "-"

187.17.73.nnn - - [06/Sep/2010:16:31:37 -0400] "CONNECT 205.188.251.nn:443 HTTP/1.0" 405 324 "-" "-"

The repertoire of server entry attempts is never ending. Ugh!

caribguy

2:52 am on Sep 7, 2010 (gmt 0)

You should only allow the HTTP methods [w3.org] that are actively used on your server (e.g. HEAD, GET, POST)

grandma genie

3:33 am on Sep 7, 2010 (gmt 0)

It looks like the server returned a 405. I am on a hosted server, not my own. I assume my hosting company set the server up not to accept the CONNECT method. So, I will let my hosting company know about the CONNECT attempt. Is there something I should do in the meantime? Thanks for your reply caribguy.

wilderness

4:07 am on Sep 7, 2010 (gmt 0)

I assume my hosting company set the server up not to accept the CONNECT method.

This would be an incorrect assumption.

All access codes than begin with a "4" (i. e., 4xx) are failed attempts at access.

200's are successful access.

caribguy

4:53 am on Sep 7, 2010 (gmt 0)

405 is the reply for "Method not allowed" - looks like your host did the right thing.

grandma genie

4:10 pm on Sep 8, 2010 (gmt 0)

Thanks all. I guess I am safe. Too bad my host never replied to my post. What would I do without webmasterworld?