Incidents
Re: Unusual entry in Apache logs May 30 2008 08:35PM
Neil Dickey (neil geol niu edu)
Rob Thomas <robt (at) cymru (dot) com [email concealed]> wrote:

>> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"
>
>This IP has been sending spam since at least 2008-04-24 15:34:38 UTC.
>It's also been scanning for the typical proxy ports lately (most
>recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080,
>and TCP 80. I suspect this is what it was doing when it visited your
>server. Possibly it's a bot.

Thanks Rob, and to all the others -- not few in number -- who wrote on
and off the list with ideas and links.

I have seen some CONNECT attempts in my logs, trying to make contact
with remote mail servers, but had never made the connection myself
between them and the "\x05\x01" entries. It does seem that someone
is looking for open proxies, as all but all of you indicated.

Our website is a simple one, and I have *everything* turned off that
isn't being used. Proxies are completely disabled and I don't allow
the CONNECT verb, among others. It looks like my ( paranoid )
policies are paying off.

Thanks again to all.

Best regards,

Neil Dickey, Ph.D.
email: neil (at) geol.niu (dot) edu [email concealed]
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus