Security Incidents mailing list archives
Re: Odd sendmail behavior
From: Michael Katz <mike () procinct com>
Date: Thu, 05 Sep 2002 13:07:29 -0700
At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:
I saved a full session of one of the attempts on my local machine (seven packets worth) from ethereal. There was also an initial attempt to validate as user "tcpwrappers" which I found a bit odd. Those are the only things beyond log entries, and of course the packets are incomplete (since the attempts were blocked). The odd and unique thing is that the initial payload was: > GET http://www.yahoo.com/ HTTP/1.1 > Host: www.yahoo.com > Accept: */* > Pragma: no-cache > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
That looks like someone scanning for a proxy server. Typically these scans are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found a reason to look for proxy servers on SMTP ports.
Michael Katz mike () procinct com Procinct Security ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd sendmail behavior Etaoin Shrdlu (Sep 05)
- Re: Odd sendmail behavior Jay D. Dyson (Sep 05)
- Re: Odd sendmail behavior Michael Katz (Sep 05)
- Re: Re: Odd sendmail behavior Nigel Frankcom (Sep 05)
- Re: Odd sendmail behavior Etaoin Shrdlu (Sep 05)
- Re: Re: Odd sendmail behavior Nigel Frankcom (Sep 05)