RE: Strange apache logs: CONNECT maila.microsoft.com:25

From: Andy Coates (andy@bribed.net)
Date: 11/22/02

  • Next message: Alvin Oga: "RE: Proxy server hit... Any ideas?" 
    From: "Andy Coates" <andy@bribed.net>
To: "'Jeroen Wesbeek'" <duh@DoWebWeDo.com>
Date: Fri, 22 Nov 2002 12:10:39 -0000

    > Hello,
    >
    > As I was having a look at the access log of a apache daemon I
    > noticed a
    > strange entry. After grepping the access log it appeared this
    > entry has
    > occurred 9 times since september this year. I also noticed
    > the same entry on
    > other servers as well. It looks like something or someone is
    > trying to send
    > e-mail through a microsoft smtp server using http daemons
    > however I can't
    > seem to find anything relating to these entries on both
    > google as well as
    > the securityfocus archives. Most entries (64.*) seem to originate from
    > dialup ip-adresses within the netblock of sympatico.ca while
    > the rest are US
    > based adresses.
    >
    > 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT
    > maila.microsoft.com:25
    > / HTTP/1.0" 302 0

    That's usually what gets logged when a proxy attempt is made. Someone
    is either trying to spam someone at microsoft by hiding their source ip
    using your web server as a proxy, or is just testing to see whether you
    are an "open proxy" - which is normally recorded for later use.

    If you don't run any proxy software (squid etc) and its just apache,
    nothing to worry about really.

    I doubt they're targetting you specifically, more likely a complete
    network scan if they are repeating the same request day after day.

    HTH,
    Andy.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Strange apache logs: CONNECT maila.microsoft.com:25
      ... As I was having a look at the access log of a apache daemon I noticed a ... After grepping the access log it appeared this entry has ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Strange apache logs: CONNECT maila.microsoft.com:25
      ... As I was having a look at the access log of a apache daemon I noticed a ... After grepping the access log it appeared this entry has ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Someone spamming using my reverse proxy
      ... >> somewhere in your config so that the bad guys can't get in. ... I don't this proxy as a forward ... ProxyPass / http://123.12.12.123/ ... PLEASE NOTE - the entry in the <Proxy statement must match exactly ...
      (RedHat)
    • Re: Proxy exception
      ... Exactly "how" are they configured as proxy clients:L ... - proxy url ... - manual proxy entry ... Only the first two will actually use the ISA configuration data to adjust the browser behavior. ...
      (microsoft.public.isa.clients)
    • Re: suspicious log entry
      ... Having the same kind of problem here: an entry ... I found out that this means someone is successfully (statuscode 200) using ... my webserver as a proxy. ...
      (comp.os.linux.security)