At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:

>I saved a full session of one of the attempts on my local machine (seven
>packets worth) from ethereal. There was also an initial attempt to validate
>as user "tcpwrappers" which I found a bit odd. Those are the only things
>beyond log entries, and of course the packets are incomplete (since the
>attempts were blocked). The odd and unique thing is that the initial
>payload was:
>
> > GET http://www.yahoo.com/ HTTP/1.1
> > Host: www.yahoo.com
> > Accept: */*
> > Pragma: no-cache
> > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)

That looks like someone scanning for a proxy server. Typically these scans
are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found
a reason to look for proxy servers on SMTP ports.

Michael Katz
mikeprocinct.com
Procinct Security

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]