From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 23:00:38 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7362D16A400 for ; Thu, 6 Apr 2006 23:00:38 +0000 (UTC) (envelope-from laszlof@vonostingroup.com) Received: from ritamari.vonostingroup.com (ritamari.vonostingroup.com [216.144.193.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 182A943D46 for ; Thu, 6 Apr 2006 23:00:36 +0000 (GMT) (envelope-from laszlof@vonostingroup.com) Received: from c-71-227-92-22.hsd1.mi.comcast.net ([71.227.92.22] helo=[192.168.0.3]) by ritamari.vonostingroup.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FRdVm-000Mgb-8x; Thu, 06 Apr 2006 19:03:34 -0400 Message-ID: <44359D84.9020000@vonostingroup.com> Date: Thu, 06 Apr 2006 19:00:20 -0400 From: Frank Laszlo User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Chuck Swiger References: <44358FC6.3050000@mac.com> In-Reply-To: <44358FC6.3050000@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ritamari.vonostingroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - vonostingroup.com X-Source: X-Source-Args: X-Source-Dir: Cc: fbsd_user@a1poweruser.com, "freebsd-questions@FreeBSD. ORG" Subject: Re: web server attack X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 23:00:38 -0000 Chuck Swiger wrote: > fbsd_user wrote: > [ ... ] >> Does anyone know what this is and what I can do to stop it >> besides adding the ip address to my firewall block rules? > > I suppose that someone is trying to exploit mod_proxy to connect to an > SMTP server (that's the "CONNECT 4.79.181.15:25" part), or at least > get HTTP replies back. > > Make sure you don't have mod_proxy enabled in Apache.... > >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 -0400] >> "\x04\x01" 200 0 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] >> "\x05\x01" 200 0 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] >> "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-" >> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 -0400] >> "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0 >> (compatible; MSIE 5.00; Windows 98)" > Setup mod_security to block that type of request. Any chance you can capture some packets and send a link? I'd like to take a look at it. -Frank