Strange apache logs: CONNECT maila.microsoft.com:25
From: Jeroen Wesbeek (duh@DoWebWeDo.com)
Date: 11/18/02
- Previous message: Micheal Patterson: "Re: Compromised FBSD/Apache"
- Next in thread: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
- Reply: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jeroen Wesbeek <duh@DoWebWeDo.com> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Mon, 18 Nov 2002 10:05:04 +0100
Hello,
As I was having a look at the access log of a apache daemon I noticed a
strange entry. After grepping the access log it appeared this entry has
occurred 9 times since september this year. I also noticed the same entry on
other servers as well. It looks like something or someone is trying to send
e-mail through a microsoft smtp server using http daemons however I can't
seem to find anything relating to these entries on both google as well as
the securityfocus archives. Most entries (64.*) seem to originate from
dialup ip-adresses within the netblock of sympatico.ca while the rest are US
based adresses.
68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
/ HTTP/1.0" 302 0
64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
65.95.180.128 - - [29/Oct/2002:09:17:51 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.231.50.98 - - [31/Oct/2002:23:24:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
66.230.222.226 - - [01/Nov/2002:20:07:38 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.229.147.12 - - [14/Nov/2002:16:27:30 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.228.70.235 - - [15/Nov/2002:11:32:56 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
4.63.221.224 - - [16/Nov/2002:05:49:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.229.147.19 - - [17/Nov/2002:15:35:24 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
Does anybody got a clue what this might be?
Grtz,
dowebwedo
Jeroen Wesbeek
.programming
St. Jacobsstraat 16 | 3511 BS Utrecht
Postbus 448 | 3500 AK Utrecht
The Netherlands
www.dowebwedo.com
p +31 (0) 30 234 81 10 | f +31 (0) 20 773 83 38
[roses are red, violets are blue, I am schizophrenic and so am I ]
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Johan Augustsson: "Re: FTP and Win2K changed security policy"
- Previous message: Micheal Patterson: "Re: Compromised FBSD/Apache"
- Next in thread: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
- Reply: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
