At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote: >I saved a full session of one of the attempts on my local machine (seven >packets worth) from ethereal. There was also an initial attempt to validate >as user "tcpwrappers" which I found a bit odd. Those are the only things >beyond log entries, and of course the packets are incomplete (since the >attempts were blocked). The odd and unique thing is that the initial >payload was: > > > GET http://www.yahoo.com/ HTTP/1.1 > > Host: www.yahoo.com > > Accept: */* > > Pragma: no-cache > > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) That looks like someone scanning for a proxy server. Typically these scans are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found a reason to look for proxy servers on SMTP ports. Michael Katz mikeat_private Procinct Security ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 13:30:19 PDT