On Fri, 2 Jul 2004, Manuel [iso-8859-15] Balderrábano wrote:
Hi, list. I have just seen this strange entrys in my apache logs:
... 203.86.166.95 - - [29/Jun/2004:03:45:42 +0200] "CONNECT 205.158.62.146:25 HTTP/1.0" 200 8307 203.86.166.95 - - [29/Jun/2004:03:45:55 +0200] "PUT http://205.158.62.146:25/ HTTP/1.0" 200 8307 203.86.166.95 - - [29/Jun/2004:03:45:56 +0200] "POST http://205.158.62.146:25/ HTTP/1.0" 200 8307 217.34.125.65 - - [29/Jun/2004:19:10:27 +0200] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 8307 ... 213.4.22.177 - - [30/Jun/2004:21:05:44 +0200] "POST http://194.224.58.61:25/ HTTP/1.0" 200 8307 213.4.22.177 - - [30/Jun/2004:21:56:04 +0200] "PUT http://194.224.58.61:25/ HTTP/1.0" 200 8307
They were all succesfull!!!!
My snort logs did not detect anything strange, wich seems logical, since they are just smtp accesses.
Is anyone using my web server to send spam?
Thanks.
This is probably a spammer testing your webserver to see if he can relay mail through your web server. I get these attempts constantly but they always fail and trigger an alert from logwatch. The 1337 port is an old backdoor. It's the scripkiddiot spelling of "leet". You should take the machine offiline and mount the drive under knoppix, so you can run chkrootkit on the machine. Regards, -linux_lad