Strange apache logs: CONNECT maila.microsoft.com:25

From: Jeroen Wesbeek (duhat_private)
Date: Mon Nov 18 2002 - 01:05:04 PST

Next message: Johan Augustsson: "Re: FTP and Win2K changed security policy"

Previous message: Micheal Patterson: "Re: Compromised FBSD/Apache"
Next in thread: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
Next in thread: Andy Coates: "RE: Strange apache logs: CONNECT maila.microsoft.com:25"
Reply: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

As I was having a look at the access log of a apache daemon I noticed a
strange entry. After grepping the access log it appeared this entry has
occurred 9 times since september this year. I also noticed the same entry on
other servers as well. It looks like something or someone is trying to send
e-mail through a microsoft smtp server using http daemons however I can't
seem to find anything relating to these entries on both google as well as
the securityfocus archives. Most entries (64.*) seem to originate from
dialup ip-adresses within the netblock of sympatico.ca while the rest are US
based adresses. 

68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
/ HTTP/1.0" 302 0
64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
65.95.180.128 - - [29/Oct/2002:09:17:51 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.231.50.98 - - [31/Oct/2002:23:24:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
66.230.222.226 - - [01/Nov/2002:20:07:38 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.229.147.12 - - [14/Nov/2002:16:27:30 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.228.70.235 - - [15/Nov/2002:11:32:56 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
4.63.221.224 - - [16/Nov/2002:05:49:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370
64.229.147.19 - - [17/Nov/2002:15:35:24 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370

Does anybody got a clue what this might be? 

Grtz,


dowebwedo
Jeroen Wesbeek
.programming
St. Jacobsstraat 16 | 3511 BS Utrecht
Postbus 448 | 3500 AK Utrecht
The Netherlands
www.dowebwedo.com
p +31 (0) 30 234 81 10 | f  +31 (0) 20 773 83 38

[roses are red, violets are blue, I am schizophrenic and so am I ]



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johan Augustsson: "Re: FTP and Win2K changed security policy"
Previous message: Micheal Patterson: "Re: Compromised FBSD/Apache"
Next in thread: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
Next in thread: Andy Coates: "RE: Strange apache logs: CONNECT maila.microsoft.com:25"
Reply: John Hall: "Re: Strange apache logs: CONNECT maila.microsoft.com:25"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 09:59:15 PST