[Dshield] Scan of my webserver
tom.laermans at powersource.cx
Tue Mar 4 23:46:32 GMT 2003
At 21:29 04/03/2003, you wrote:
>Has anyone seen this before, and what is it attempting to do?
>I haven't been able to find much information on Google regarding this
>scan. Manually attempting the same commands comes up 404.
>Apache 1.3.x logs:
>x.x.x.x - - [23/Feb/2003:16:11:45 -0500] "\x04\x01" 200 5533
>x.x.x.x - - [23/Feb/2003:16:12:06 -0500] "\x05\x01" 200 5533
>x.x.x.x - - [23/Feb/2003:16:12:07 -0500] "CONNECT 22.214.171.124:25
>HTTP/1.1" 200 5553
While i don't know about the first 2, the last one is an attempt to connect
to a mailserver using your webserver as an anonymous relay.
Apparently it succeeded, at least that's what code 200 tells me, which
gives me the impression you're running the proxy module and are wide open
to the world.
More information about the list