Security Incidents mailing list archives
RE: Strange apache logs: CONNECT maila.microsoft.com:25
From: "Andy Coates" <andy () bribed net>
Date: Fri, 22 Nov 2002 12:10:39 -0000
Hello, As I was having a look at the access log of a apache daemon I noticed a strange entry. After grepping the access log it appeared this entry has occurred 9 times since september this year. I also noticed the same entry on other servers as well. It looks like something or someone is trying to send e-mail through a microsoft smtp server using http daemons however I can't seem to find anything relating to these entries on both google as well as the securityfocus archives. Most entries (64.*) seem to originate from dialup ip-adresses within the netblock of sympatico.ca while the rest are US based adresses. 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25 / HTTP/1.0" 302 0
That's usually what gets logged when a proxy attempt is made. Someone is either trying to spam someone at microsoft by hiding their source ip using your web server as a proxy, or is just testing to see whether you are an "open proxy" - which is normally recorded for later use. If you don't run any proxy software (squid etc) and its just apache, nothing to worry about really. I doubt they're targetting you specifically, more likely a complete network scan if they are repeating the same request day after day. HTH, Andy. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
- RE: Strange apache logs: CONNECT maila.microsoft.com:25 Andy Coates (Nov 25)
- <Possible follow-ups>
- Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
- Re: Strange apache logs: CONNECT maila.microsoft.com:25 John Hall (Nov 25)