[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Strange log: apache succesfull access
On Fri, 2 Jul 2004, Manuel [iso-8859-15] Balderrábano wrote:
> Hi, list.
> I have just seen this strange entrys in my apache logs:
>
>
> ...
> 203.86.166.95 - - [29/Jun/2004:03:45:42 +0200] "CONNECT 205.158.62.146:25 HTTP/1.0" 200 8307
> 203.86.166.95 - - [29/Jun/2004:03:45:55 +0200] "PUT http://205.158.62.146:25/ HTTP/1.0" 200 8307
> 203.86.166.95 - - [29/Jun/2004:03:45:56 +0200] "POST http://205.158.62.146:25/ HTTP/1.0" 200 8307
> 217.34.125.65 - - [29/Jun/2004:19:10:27 +0200] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 8307
> ...
> 213.4.22.177 - - [30/Jun/2004:21:05:44 +0200] "POST http://194.224.58.61:25/ HTTP/1.0" 200 8307
> 213.4.22.177 - - [30/Jun/2004:21:56:04 +0200] "PUT http://194.224.58.61:25/ HTTP/1.0" 200 8307
>
> They were all succesfull!!!!
>
> My snort logs did not detect anything strange, wich seems logical, since they are just smtp accesses.
>
> Is anyone using my web server to send spam?
>
> Thanks.
>
This is probably a spammer testing your webserver to see if he can relay
mail through your web server. I get these attempts constantly but they
always fail and trigger an alert from logwatch. The 1337 port is an old
backdoor. It's the scripkiddiot spelling of "leet". You should take
the machine offiline and mount the drive under knoppix, so you can run
chkrootkit on the machine.
Regards,
-linux_lad
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here