On Sun, Jun 28, 2009 at 9:11 AM, chefsmart <moran.cors...@gmail.com> wrote:
> > I'm seeing a lot of the following in my Django development server > window lately: - > > > [28/Jun/2009 18:33:42] "CONNECT mail.burst.idv.tw:25 HTTP/1.0" 500 > 41555 > > > Has anyone else seen this messages? What is this exactly? Is my > computer infected with some malware? > > I would have been easy if it were a GET, POST, PUT or DELETE. But > CONNECT? > > I know I'm not making much sense, but I am puzzled where this request > is coming from! > Something is trying to use your development server as a proxy to set up a tunnel to some host named mail.burst.idv.tw, port number 25 (a mail server port). What command line arguments are you using to start your development server? Specifically are you setting it up to listen on all interfaces, or just the default localhost? If you are listening only on localhost, then the requests are coming from some program running on your machine. If that's the case then I'd suspect your computer has been infected with something. If on the other hand you've specified 0.0.0.0 as the IP address for the dev server to listen on, then the request could be coming from anywhere that can reach your machine. So -- what other machines have the ability to connect to your machine? If it's open to the whole Internet, then these requests could be coming from anywhere and it's probably not worth trying to track them down. The dev server is not creating the requested tunnel (it's actually running into an exception and returning a 500 server error...from a little experimenting I think the 500 error is due to ticket #10834) so no great harm done in this particular case. But if you do have a dev server open to the Internet, you might want to rethink that -- see the note here: http://docs.djangoproject.com/en/dev/ref/django-admin/#runserver "DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits..." While this particular possibly malicious request isn't causing anything too bad to happen, the dev server really has not been checked to ensure that it can't be fooled into doing something it shouldn't be doing. It's really not a good idea to have one open to the Internet at large. If on the other hand your machine is only accessible from a limited number of other machines that you "trust", it looks like one of them might be infected with something. In that case you might want to add some additional logging in basehttp.py to report the client address and port since the existing log message doesn't include that information. If you change the log_message routine in django/core/servers/basehttp.py to be: def log_message(self, format, *args): # Don't bother logging requests for admin images or the favicon. if self.path.startswith(self.admin_media_prefix) or self.path == '/favicon.ico': return client_host = self.client_address[0] client_port = self.client_address[1] sys.stderr.write("[%s] Client %s:%d: %s\n" % (self.log_date_time_string(), client_host, client_port, format % args)) then you'll have the IP address of the machine that is sending the requests. Karen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
