Just a thought.... Could it be a probe for a webmail interface? On Thu, 05 Sep 2002 13:07:29 -0700, you wrote: >At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote: > >>I saved a full session of one of the attempts on my local machine (seven >>packets worth) from ethereal. There was also an initial attempt to validate >>as user "tcpwrappers" which I found a bit odd. Those are the only things >>beyond log entries, and of course the packets are incomplete (since the >>attempts were blocked). The odd and unique thing is that the initial >>payload was: >> >> > GET http://www.yahoo.com/ HTTP/1.1 >> > Host: www.yahoo.com >> > Accept: */* >> > Pragma: no-cache >> > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) > >That looks like someone scanning for a proxy server. Typically these scans >are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found >a reason to look for proxy servers on SMTP ports. > >Michael Katz >mikeat_private >Procinct Security > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 14:18:46 PDT