Security Incidents mailing list archives

Re: Odd sendmail behavior


From: Michael Katz <mike () procinct com>
Date: Thu, 05 Sep 2002 13:07:29 -0700

At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:

I saved a full session of one of the attempts on my local machine (seven
packets worth) from ethereal. There was also an initial attempt to validate
as user "tcpwrappers" which I found a bit odd. Those are the only things
beyond log entries, and of course the packets are incomplete (since the
attempts were blocked). The odd and unique thing is that the initial
payload was:

> GET http://www.yahoo.com/ HTTP/1.1
> Host: www.yahoo.com
> Accept: */*
> Pragma: no-cache
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)

That looks like someone scanning for a proxy server. Typically these scans are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found a reason to look for proxy servers on SMTP ports.

Michael Katz
mike () procinct com
Procinct Security


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com


Current thread: