Mailinglist Archive: opensuse (3166 mails)
| < Previous | Next > |
Re: [SLE] Suspicius Apache log
- From: Paul Varner <suse-linux-e@xxxxxxxxxxxxxxxx>
- Date: 23 Mar 2003 16:21:11 -0600
- Message-id: <1048458070.9781.8.camel@xxxxxxxxxxxxxxxxxx>
On Sun, 2003-03-23 at 12:02, Guillermo Ballester Valor wrote:
> Hi,
>
> I just want to ask whether you know what the following lines in my Apache log
> file means. I'm finding this kind of lines more frecuently lastly. Is any
> virus attack, or hack attempt ?
>
> 66.250.115.70 - - [23/Mar/2003:18:23:09 +0100] "CONNECT 167.206.112.6:25
> HTTP/1.0" 200 3594
It means that person at that IP address is trying to use your web server
as a proxy to send email. Most likely it is a spammer working on
covering his tracks so that you will get blamed and not him.
I'm not familar with the return codes from Apache, but it looks like the
200 means that they were successful.
You can test your setup using the following commands. (Substitute your
servers name for www.example.com)
telnet www.example.com 80
Once connected type:
CONNECT mx4.hotmail.com:25 HTTP/1.0 then hit enter twice.
If you get disconnected then you are fine, if you get something similar
to the following, then your web server is acting as an open proxy and
should be secured. If it is unsecure, you'll have to ask how
220 mc4-f13.law16.hotmail.com Microsoft ESMTP MAIL Service, Version:
5.0.2195.5600 ready at Wed, 9 Oct 2002 10:44:08 -0700
--
Paul Varner <suse-linux-e@xxxxxxxxxxxxxxxx>
> Hi,
>
> I just want to ask whether you know what the following lines in my Apache log
> file means. I'm finding this kind of lines more frecuently lastly. Is any
> virus attack, or hack attempt ?
>
> 66.250.115.70 - - [23/Mar/2003:18:23:09 +0100] "CONNECT 167.206.112.6:25
> HTTP/1.0" 200 3594
It means that person at that IP address is trying to use your web server
as a proxy to send email. Most likely it is a spammer working on
covering his tracks so that you will get blamed and not him.
I'm not familar with the return codes from Apache, but it looks like the
200 means that they were successful.
You can test your setup using the following commands. (Substitute your
servers name for www.example.com)
telnet www.example.com 80
Once connected type:
CONNECT mx4.hotmail.com:25 HTTP/1.0 then hit enter twice.
If you get disconnected then you are fine, if you get something similar
to the following, then your web server is acting as an open proxy and
should be secured. If it is unsecure, you'll have to ask how
220 mc4-f13.law16.hotmail.com Microsoft ESMTP MAIL Service, Version:
5.0.2195.5600 ready at Wed, 9 Oct 2002 10:44:08 -0700
--
Paul Varner <suse-linux-e@xxxxxxxxxxxxxxxx>
| < Previous | Next > |