Security Incidents: RE: Strange apache logs: CONNECT maila.microsoft.com:25

["Andy Coates" <andy () bribed net>]

> Hello,
>
> As I was having a look at the access log of a apache daemon I 
> noticed a
> strange entry. After grepping the access log it appeared this 
> entry has
> occurred 9 times since september this year. I also noticed 
> the same entry on
> other servers as well. It looks like something or someone is 
> trying to send
> e-mail through a microsoft smtp server using http daemons 
> however I can't
> seem to find anything relating to these entries on both 
> google as well as
> the securityfocus archives. Most entries (64.*) seem to originate from
> dialup ip-adresses within the netblock of sympatico.ca while 
> the rest are US
> based adresses. 
>
> 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT 
> maila.microsoft.com:25
> / HTTP/1.0" 302 0 
That's usually what gets logged when a proxy attempt is made.  Someone
is either trying to spam someone at microsoft by hiding their source ip
using your web server as a proxy, or is just testing to see whether you
are an "open proxy" - which is normally recorded for later use.

If you don't run any proxy software (squid etc) and its just apache,
nothing to worry about really.

I doubt they're targetting you specifically, more likely a complete
network scan if they are repeating the same request day after day.

HTH,
Andy.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com