|
Security Incidents
mailing list archives
Re: Odd sendmail behavior
From: Michael Katz <mike () procinct com>
Date: Thu, 05 Sep 2002 13:07:29 -0700
At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:
I saved a full session of one of the attempts on my local machine (seven
packets worth) from ethereal. There was also an initial attempt to validate
as user "tcpwrappers" which I found a bit odd. Those are the only things
beyond log entries, and of course the packets are incomplete (since the
attempts were blocked). The odd and unique thing is that the initial
payload was:
> GET http://www.yahoo.com/ HTTP/1.1
> Host: www.yahoo.com
> Accept: */*
> Pragma: no-cache
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
That looks like someone scanning for a proxy server. Typically these scans
are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found
a reason to look for proxy servers on SMTP ports.
Michael Katz
mike () procinct com
Procinct Security
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
