|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Nigel Frankcom (nigel_at_blue-canoe.net)
Date: Thu Sep 05 2002 - 15:32:03 CDT
Just a thought....
Could it be a probe for a webmail interface?
On Thu, 05 Sep 2002 13:07:29 -0700, you wrote:
>At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:
>
>>I saved a full session of one of the attempts on my local machine (seven
>>packets worth) from ethereal. There was also an initial attempt to validate
>>as user "tcpwrappers" which I found a bit odd. Those are the only things
>>beyond log entries, and of course the packets are incomplete (since the
>>attempts were blocked). The odd and unique thing is that the initial
>>payload was:
>>
>> > GET http://www.yahoo.com/ HTTP/1.1
>> > Host: www.yahoo.com
>> > Accept: */*
>> > Pragma: no-cache
>> > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
>
>That looks like someone scanning for a proxy server. Typically these scans
>are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found
>a reason to look for proxy servers on SMTP ports.
>
>Michael Katz
>mike
procinct.com
>Procinct Security
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]