I'm no expert on this so take my comments with a pound of salt. It looks to me like they tried to use your server to issue an smtp connect with the earthlink mail server, perhaps to send some spam and cover their tracks? I grep'ed through my webservers logs for "CONNECT" and came up empty, looks a little fishy to me. Keith Roberts wrote:
Hi everyone.
Can anyone tell what the following apache logs are?
The last line looks like they managed to connect to port 25.
Or did someone get my machine to connect to another servers port 25?
220.163.27.187 - - [27/Feb/2004:16:00:48 +0000] "\x04\x01" 200 0 "-" "-"
220.163.27.187 - - [27/Feb/2004:16:01:40 +0000] "\x05\x01" 200 0 "-" "-"
220.163.27.187 - - [27/Feb/2004:16:01:51 +0000] "CONNECT 207.217.125.22:25 HTTP/1.1" 200 5664 "-" "-"
I have just been to grc.com, and my SMTP port is stealthed.
Here is a listing of netstat
keith@myserver:~> netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:www-http *:* LISTEN tcp 0 0 *:afs3-fileserver *:* LISTEN tcp 0 0 localhost:smtp *:* LISTEN
Anyone have any ideas?
Kind Regards - Keith Roberts