Malicious Intent?

Forum Moderators: DixonJones

Message Too Old, No Replies

Malicious Intent?

CONNECT mx2.mail.yahoo.com:25

rrdega

6:49 pm on Aug 31, 2003 (gmt 0)

Okay, so I'm watching my logs for stuff talked about in this thread [webmasterworld.com] and I see this in my log:
199.183.195.81 - - [31/Aug/2003:13:34:14 -0500] "CONNECT mx2.mail.yahoo.com:25 HTTP/1.0" 200 17040 "-" "-"

What's the scoop with that? Someone trying to use my server for getting to Yahoo Mail? :::Huh?:::

I've already banned the IP, but am curious if this is a typical type thing, and what's the intent?

dmorison

7:04 pm on Aug 31, 2003 (gmt 0)

Someone probing (don't worry, they're not picking on you individually!) for HTTP servers that are configured to support proxy tunnelling via the HTTP "CONNECT" method.

[asg.web.cmu.edu...]

No different to a probe for /formmail.pl really; if the attempt found your server to be acting as an open proxy then the attacker would probably begin spamming - not from your box but going via your box.

All part of the noise.

rrdega

7:13 pm on Aug 31, 2003 (gmt 0)

Thanx! Yeah, it had "noise" written all over it... What really concerned me was the 200 status returned! i.e., Was it successful? And what's with the 17K that was transfered with the CONNECT request?

If you scan the thread I referenced above, you'll see I'm getting a LOTTA odd "traffic" already, and am wondering if this is related in some way...

Hmmm... I wonder if the previous owner of my IP (its new to me since the 18th) was running a proxy server, or something, eh?

dmorison

7:22 pm on Aug 31, 2003 (gmt 0)

Have to admit that the 200 status code concerned me a bit aswell.. I would have expected 400 (Bad Request) or 401 (Get Lost) or something.

If I get time later i'll look into it more.

rrdega

7:29 pm on Aug 31, 2003 (gmt 0)

Thanx! I'm going to poke about some more too... 'n perhaps ask my host about the previous occupant of this addy.