In my httpd-log files i've seen something like this:
[27/Jan/2003:17:32:15 +0200] "CONNECT 213.221.189.10:6660 HTTP/1.0" 200 541 "-" "-"
First it was directed to port 25 and esmithy put back returncode 400 but after a coulpe of days returncode was 200 what means OK !!
So. Something went through to http level and send information "indirect" way. Then intruders chanced port to 6660.
I know that this is a scanning script that tell's the intruder that proxy is
open. It uses apache / php weakneses.
I've tried to stop mail-system, squid. Turned off php URL handling and so on ... nothing helped.
Can somebody tell how I shut down this "indirect" snoofing because
spammers / blackhats can also use this method sending/getting information through / in / from my server ?
Lucky thing is that my esmithy is standing behind an iron firewall ( port 80 open ) and tripwire says that nothing is chanced in my system.
..Lasse...
1 Replies
379 Views