i've got apache offering ssl on port :443, but haven't published that fact anywhere -- yet i've gotten a hit from mit.edu, and it's not even a from-the-top entry?
i've got apache-perl going, and mod_ssl is even cooperating. so, all is wonderful in linux-land... the secure port is not published anywhere on any pages on the rest of my site, so i'm testing and plugging away all by myself without any interlopers cluttering up my traffic -- or so i thought: <snip> [19/Feb/2003:15:15:45 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10947 [19/Feb/2003:15:16:33 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10968 [19/Feb/2003:15:18:15 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 10941 [19/Feb/2003:15:18:39 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3523 heavy testing, as you can see -- the byte count changes altho the request stays the same. :) at any rate, the log continues... [19/Feb/2003:15:18:39 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /std.css HTTP/1.1" 2431 [19/Feb/2003:15:18:40 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /gray.css HTTP/1.1" 965 [19/Feb/2003:15:18:40 -0600] 192.168.0.5 TLSv1 RC4-MD5 "GET /green.css HTTP/1.1" 1091 [19/Feb/2003:15:19:59 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3535 [19/Feb/2003:15:20:52 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3523 [19/Feb/2003:15:22:22 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3520 [19/Feb/2003:15:22:54 -0600] 18.29.1.50 TLSv1 EDH-RSA-DES-CBC3-SHA "GET /search/go?q=w&t=*&x=y HTTP/1.1" 3535 <snip> i'm on the lan at 192.168.0.5 -- but 18.*.*.* is mit.edu! i know any quick port scan will show that :443 is open, but the evidence here (i think) is that they re-broadcast a request from just a few minutes previous; it wasn't a casual browse, it was the exact same request as i had made earlier. if it was a sequence of "/" -> "/subdir" -> "/subdir/func?stuff" i'd say someone was being curious. but this was definitely NOT from-the-top but rather directly into the /search/go area. what does this mean? are there black hats involved? (maybe even a gray fedora?) -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #108 from Rogerio Brito <[EMAIL PROTECTED]> : Hoping to GENERATE DIGITAL ALBUMS? To do this, I use photoaddict (http://photoaddict.sourceforge.net/). It uses convert internally. Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
