From owner-freebsd-questions@FreeBSD.ORG  Thu Apr  6 22:01:45 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@FreeBSD.ORG
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6E1E916A404
	for <freebsd-questions@FreeBSD.ORG>;
	Thu,  6 Apr 2006 22:01:45 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BDE7F43D69
	for <freebsd-questions@FreeBSD.ORG>;
	Thu,  6 Apr 2006 22:01:44 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id 2C1C35E17;
	Thu,  6 Apr 2006 18:01:44 -0400 (EDT)
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 15835-03; Thu,  6 Apr 2006 18:01:43 -0400 (EDT)
Received: from [192.168.1.3] (pool-68-161-112-80.ny325.east.verizon.net
	[68.161.112.80])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id 3B8055C66;
	Thu,  6 Apr 2006 18:01:43 -0400 (EDT)
Message-ID: <44358FC6.3050000@mac.com>
Date: Thu, 06 Apr 2006 18:01:42 -0400
From: Chuck Swiger <cswiger@mac.com>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: fbsd_user@a1poweruser.com
References: <MIEPLLIBMLEEABPDBIEGAEECHEAA.fbsd_user@a1poweruser.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGAEECHEAA.fbsd_user@a1poweruser.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject: Re: web server attack
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2006 22:01:45 -0000

fbsd_user wrote:
[ ... ]
> Does anyone know what this is and what I can do to stop it
> besides adding the ip address to my firewall block rules?

I suppose that someone is trying to exploit mod_proxy to connect to an SMTP 
server (that's the "CONNECT 4.79.181.15:25" part), or at least get HTTP 
replies back.

Make sure you don't have mod_proxy enabled in Apache....

> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 -0400]
> "\x04\x01" 200 0 "-" "-"
> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400]
> "\x05\x01" 200 0 "-" "-"
> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400]
> "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-"
> 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 -0400]
> "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0
> (compatible; MSIE 5.00; Windows 98)"

-- 
-Chuck