[gentoo-user] Suspicious stuff in apache access log.

[Tom Eastman]

Hey all,

This isn't exactly OT, but I was glancing through the usual slew of crap in my
access_log and found these... can someone tell me what's going on?  I expect
it's people trying to use my server for spamming purposes.

Did they succeed?  If so, how can I plug the hole? (I don't know what CONNECT 
does)

NB: IP addresses have not been changed, I'm not protecting the guilty :-)

=================================
68.152.32.164 - - [16/Dec/2002:01:56:33 +1300] "CONNECT maila.microsoft.com:25 / 
HTTP/1.0" 405 314 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
207.43.172.222 - - [17/Dec/2002:19:23:36 +1300] "CONNECT mx2.prserv.net:25 HTTP/1.0" 
405 309 "-" "-"
207.43.172.224 - - [18/Dec/2002:16:22:39 +1300] "CONNECT mx2.mail.yahoo.com:25 
HTTP/1.0" 405 313 "-" "-"
pool-68-160-241-105.ny325.east.verizon.net - - [01/Jan/2003:14:18:10 +1300] "CONNECT 
mx2.mail.yahoo.com:25 HTTP/1.0" 405 313 "-" "-"
217.107.214.246 - - [09/Jan/2003:09:14:39 +1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 
405 309 "-" "-"
217.107.214.246 - - [10/Jan/2003:06:06:06 +1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 
405 309 "-" "-"
pc960-200-74-27-101.apoquindo2.pc.metropolis-inter.com - - [11/Jan/2003:14:55:26 
+1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 405 309 "-" "-"
217.107.214.246 - - [12/Jan/2003:09:31:57 +1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 
405 309 "-" "-"
pool-151-201-116-188.pitt.east.verizon.net - - [13/Jan/2003:09:09:44 +1300] "CONNECT 
mx4.hotmail.com:25 HTTP/1.1" 400 300 "-" "-"
217.107.214.246 - - [15/Jan/2003:05:36:29 +1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 
405 309 "-" "-"
217.107.214.246 - - [15/Jan/2003:05:38:55 +1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 
405 309 "-" "-"
4.63.221.224 - - [16/Jan/2003:03:12:33 +1300] "CONNECT maila.microsoft.com:25 / 
HTTP/1.0" 405 314 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
pc960-200-74-27-101.apoquindo2.pc.metropolis-inter.com - - [16/Jan/2003:10:00:56 
+1300] "CONNECT 199.232.76.166:25 HTTP/1.0" 405 309 "-" "-"
209.120.193.45 - - [19/Jan/2003:23:11:20 +1300] "CONNECT 209.120.193.101:6667 
HTTP/1.0" 405 312 "-" "-"
pc-203-160.las-condes2.pc.metropolis-inter.com - - [21/Jan/2003:18:20:49 +1300] 
"CONNECT 199.232.76.166:25 HTTP/1.0" 405 309 "-" "-"
pc-203-160.las-condes2.pc.metropolis-inter.com - - [23/Jan/2003:16:25:13 +1300] 
"CONNECT 199.232.76.166:25 HTTP/1.0" 405 309 "-" "-"
193.109.122.5 - - [25/Jan/2003:10:03:22 +1300] "CONNECT 193.109.122.7:2048/ HTTP/1.1" 
400 355 "-" "pxys/1.9.3"
02-092.138.popsite.net - - [30/Jan/2003:09:17:43 +1300] "CONNECT mail.123-inet.net:25 
HTTP/1.0" 405 365 "-" "-"
161.58.177.106 - - [06/Feb/2003:04:22:48 +1300] "CONNECT maila.microsoft.com:25 
HTTP/1.0" 405 422 "-" "-"
200-206-166-117.travelnet.com.br - - [10/Feb/2003:06:02:56 +1300] "CONNECT 
tapben.com:25 HTTP/1.0" 405 422 "-" "-"
200-207-43-216.dsl.telesp.net.br - - [10/Feb/2003:06:02:59 +1300] "CONNECT 
mailin-03.mx.aol.com:25 HTTP/1.0" 405 422 "-" "-"
200-206-166-117.travelnet.com.br - - [10/Feb/2003:06:03:00 +1300] "CONNECT 
tapben.com:25 HTTP/1.0" 405 422 "-" "-"
============================


-- 
Tom Eastman <[EMAIL PROTECTED]>       

GnuPG Key:   42128603 
Fingerprint: 6AF7 BB45 ABEE 9A33 9F9C
             AB77 105E E6A5 4212 8603


--
[EMAIL PROTECTED] mailing list