RE: Strange apache logs: CONNECT maila.microsoft.com:25

From: Andy Coates (andy@bribed.net)
Date: 11/22/02

Next message: Alvin Oga: "RE: Proxy server hit... Any ideas?"

Previous message: D.Spezialie: "Re: Port 1080"
In reply to: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Andy Coates" <andy@bribed.net>
To: "'Jeroen Wesbeek'" <duh@DoWebWeDo.com>
Date: Fri, 22 Nov 2002 12:10:39 -0000

> Hello,
>
> As I was having a look at the access log of a apache daemon I
> noticed a
> strange entry. After grepping the access log it appeared this
> entry has
> occurred 9 times since september this year. I also noticed
> the same entry on
> other servers as well. It looks like something or someone is
> trying to send
> e-mail through a microsoft smtp server using http daemons
> however I can't
> seem to find anything relating to these entries on both
> google as well as
> the securityfocus archives. Most entries (64.*) seem to originate from
> dialup ip-adresses within the netblock of sympatico.ca while
> the rest are US
> based adresses.
>
> 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT
> maila.microsoft.com:25
> / HTTP/1.0" 302 0

That's usually what gets logged when a proxy attempt is made. Someone
is either trying to spam someone at microsoft by hiding their source ip
using your web server as a proxy, or is just testing to see whether you
are an "open proxy" - which is normally recorded for later use.

If you don't run any proxy software (squid etc) and its just apache,
nothing to worry about really.

I doubt they're targetting you specifically, more likely a complete
network scan if they are repeating the same request day after day.

HTH,
Andy.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Alvin Oga: "RE: Proxy server hit... Any ideas?"
Previous message: D.Spezialie: "Re: Port 1080"
In reply to: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Strange apache logs: CONNECT maila.microsoft.com:25
... As I was having a look at the access log of a apache daemon I noticed a ... After grepping the access log it appeared this entry has ... This list is provided by the SecurityFocus ARIS analyzer service. ...
(Incidents)
Strange apache logs: CONNECT maila.microsoft.com:25
... As I was having a look at the access log of a apache daemon I noticed a ... After grepping the access log it appeared this entry has ... This list is provided by the SecurityFocus ARIS analyzer service. ...
(Incidents)
Re: Someone spamming using my reverse proxy
... >> somewhere in your config so that the bad guys can't get in. ... I don't this proxy as a forward ... ProxyPass / http://123.12.12.123/ ... PLEASE NOTE - the entry in the <Proxy statement must match exactly ...
(RedHat)
Re: Proxy exception
... Exactly "how" are they configured as proxy clients:L ... - proxy url ... - manual proxy entry ... Only the first two will actually use the ISA configuration data to adjust the browser behavior. ...
(microsoft.public.isa.clients)
Re: suspicious log entry
... Having the same kind of problem here: an entry ... I found out that this means someone is successfully (statuscode 200) using ... my webserver as a proxy. ...
(comp.os.linux.security)