|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] Strange entry in Apache log
From: Joel Luth (joel
luths.net)
Date: Fri Feb 27 2004 - 14:25:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm no expert on this so take my comments with a pound of salt. It looks
to me like they tried to use your server to issue an smtp connect with
the earthlink mail server, perhaps to send some spam and cover their
tracks? I grep'ed through my webservers logs for "CONNECT" and came up
empty, looks a little fishy to me.
Keith Roberts wrote:
> Hi everyone.
>
> Can anyone tell what the following apache logs are?
>
> The last line looks like they managed to connect to port 25.
>
> Or did someone get my machine to connect to another servers
> port 25?
>
> 220.163.27.187 - - [27/Feb/2004:16:00:48 +0000]
> "\x04\x01" 200 0 "-" "-"
>
> 220.163.27.187 - - [27/Feb/2004:16:01:40 +0000]
> "\x05\x01" 200 0 "-" "-"
>
> 220.163.27.187 - - [27/Feb/2004:16:01:51 +0000]
> "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"
>
> I have just been to grc.com, and my SMTP port is stealthed.
>
> Here is a listing of netstat
>
> keithmyserver:~> netstat -lt
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 *:printer *:* LISTEN
> tcp 0 0 *:www-http *:* LISTEN
> tcp 0 0 *:afs3-fileserver *:* LISTEN
> tcp 0 0 localhost:smtp *:* LISTEN
>
> Anyone have any ideas?
>
> Kind Regards - Keith Roberts
>
>
>
>
>
>
>
>
>
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]