Security Incidents mailing list archives
Re: Unusual entry in Apache logs
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 30 May 2008 15:35:11 -0500 (CDT)
Rob Thomas <robt () cymru com> wrote:
125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"This IP has been sending spam since at least 2008-04-24 15:34:38 UTC. It's also been scanning for the typical proxy ports lately (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080, and TCP 80. I suspect this is what it was doing when it visited your server. Possibly it's a bot.
Thanks Rob, and to all the others -- not few in number -- who wrote on and off the list with ideas and links. I have seen some CONNECT attempts in my logs, trying to make contact with remote mail servers, but had never made the connection myself between them and the "\x05\x01" entries. It does seem that someone is looking for open proxies, as all but all of you indicated. Our website is a simple one, and I have *everything* turned off that isn't being used. Proxies are completely disabled and I don't allow the CONNECT verb, among others. It looks like my ( paranoid ) policies are paying off. Thanks again to all. Best regards, Neil Dickey, Ph.D. email: neil () geol niu edu Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois, U.S.A. 60115
Current thread:
- Unusual entry in Apache logs Neil Dickey (May 29)
- Re: Unusual entry in Apache logs Jonathan Adams (May 30)
- Re: Unusual entry in Apache logs Jonathan Adams (May 30)
- Re: Unusual entry in Apache logs Kosala Atapattu (May 30)
- Re: Unusual entry in Apache logs Rob Thomas (May 30)
- Re: Unusual entry in Apache logs Kevin Day (May 30)
- <Possible follow-ups>
- Re: Unusual entry in Apache logs krymson (May 30)
- Re: Unusual entry in Apache logs Neil Dickey (May 30)
- Re: Unusual entry in Apache logs Jonathan Adams (May 30)