[Dshield] Is This Depicting a Security Hole in HTTPD?

David Cary Hart DShield at TQMcube.com
Tue Dec 6 18:56:35 GMT 2005


On Tue, 6 Dec 2005 17:50:45 +0000 GMT
"Ed Truitt" <ed.truitt at etee2k.net> opined:

>> 59.104.54.157 - - [06/Dec/2005:11:58:09 -0500] "CONNECT
>> 210.200.181.193:25 HTTP/1.0" 200 4702 "-" "-" 59.104.54.157 - -
>> [06/Dec/2005:11:58:30 -0500] "CONNECT 210.200.181.194:25 HTTP/1.0"
>> 200 4702 "-" "-" 59.104.54.157 - - [06/Dec/2005:11:58:34 -0500]
>> "CONNECT 210.200.181.193:25 HTTP/1.0" 200 4702 "-" "-"

> Looks like it to me - is Apache set up as a proxy?
>
No and the constancy of the file size means that they retrieved 
index.php. Sorry. I'm just paranoid.

I'm going to add the pattern to swatch -> iptables to save some
bandwidth.

I just went through the week's logs and I have quite a few of these
(all 4,702) - which I never noticed before. Is this, perhaps, a new
effort to exploit proxies for spam?

 -- 
Our DNSRBL - 
       Eliminate Spam: http://www.TQMcube.com/spam_trap.php
        Zombie Graphs: http://www.TQMcube.com/zombies.php
          GeoGraphics: http://www.TQMcube.com/origins.php


More information about the list mailing list