Hello Debians, ----- Original Message ----- From: "Michael Renzmann" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Tuesday, September 10, 2002 8:35 AM Subject: "suspicious" apache log entries
> [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: > erroneous characters after protocol string: CONNECT > mailb.microsoft.com:25 / HTTP/1.0 I've seen tons of ../script/ and ../cmd.exe's as I've got several machines with fixed ips. ########################################################## klopm:/# cat logs/access_log | grep cmd.exe| wc -l 15384 ########################################################## starting at 07/Feb/2002 at only one IP. And this machine has got 33IPs. But this request you mentioned was new to me too - seems like I've missed something at bugtraq/vulnwatch etc..;-) here it appears the first time: ########################################################## 67.81.183.168 - - [30/May/2002:16:24:20 +0000] "CONNECT mx1.mail.yahoo.com:25 / HTTP/1.0" 405 231 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" ########################################################## on only one ip - in end of May. The next request comes in 2 weeks later: ########################################################## 216.53.218.199 - - [15/Jul/2002:01:23:06 +0200] "CONNECT mxs.mail.ru:25 HTTP/1.0" 404 194 "-" "-" ########################################################## without useragent! some aSSk!cKiNG VB-script I guess. now it seems to start. yesterday I got 39 request the first time. seems to be new... As they want to connect to some mail server, I guess this are spammers looking for new ways to spread their impotent news. Thats why there are not so much requests because kids cant find any "my files" - I guess. Has anyone seen some Anti-Nimda/Code Red beside http://www.eye-net.com.au/csmall/myscripts/nimda.html ? I'd like to send out some abuse-mails to RIPE or the ISP in addition to the webmaster, as I belive most of the attacks are done by kids instead of infected servers. This one is a bit more complicated as one needs the whois for the IP and I dont have the time to work on this for myself.... Over 15000 request on one IP *33 at about 240 byte make round about 100MB traffic and over 60MB logfile for nothing thanks and best regards, Andreas