Server absichern - ungewöhnliche Anfragen per http über Port 25 der Clients

From: phileon <jg(at)phileon.de>
Date: Fri, 3 Sep 2004 01:58:53 +0200

Hallo,

da seit einigen Tagen der Traffic bei einem System angestiegen ist,
suchte ich nach der Ursache und wurde in einem access_log einer Domain
fündig.
Dieser wird seit ein paar Tagen in nachts überschüttet mit diesen
Einträgen (siehe unten).

Kann ich jene sofort blockieren - bzw. welche Tools verursachen dies
und mit welchem Hintergedanken?

Vielen Dank für eure Hilfe!

Grüße,
  Jan

PS Mein erster Gedanke war Tool zur Suche von openrelays ... warum dann
aber HTTP Anfragen...
PPS Mailserver ist übrigens abgesichert (smtp-auth)

[...]
82.80.252.162 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
143.166.224.193:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.171 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
206.190.36.244:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:18 +0200] "CONNECT 216.68.8.211:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
199.185.220.200:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.168 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
63.240.161.100:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.151 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
65.54.253.230:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:18 +0200] "CONNECT
199.185.220.200:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.180 - - [03/Sep/2004:01:25:18 +0200] "CONNECT 24.71.223.11:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.152 - - [03/Sep/2004:01:25:18 +0200] "CONNECT 166.82.29.17:25
HTTP/1.0" 200 8511 "-" "-"
211.100.24.185 - - [03/Sep/2004:01:25:19 +0200] "CONNECT
64.156.215.7:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:19 +0200] "CONNECT 216.68.8.212:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:20 +0200] "CONNECT
199.185.220.200:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:20 +0200] "CONNECT
207.150.192.13:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.162 - - [03/Sep/2004:01:25:20 +0200] "CONNECT
205.246.18.251:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.171 - - [03/Sep/2004:01:25:20 +0200] "CONNECT
66.94.234.252:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.180 - - [03/Sep/2004:01:25:21 +0200] "CONNECT 64.59.134.8:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.171 - - [03/Sep/2004:01:25:21 +0200] "CONNECT
216.136.129.5:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.162 - - [03/Sep/2004:01:25:21 +0200] "CONNECT
216.226.133.15:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.151 - - [03/Sep/2004:01:25:22 +0200] "CONNECT
65.54.253.230:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:22 +0200] "CONNECT
199.185.220.250:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.147 - - [03/Sep/2004:01:25:22 +0200] "CONNECT
199.185.220.250:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.168 - - [03/Sep/2004:01:25:23 +0200] "CONNECT
65.108.203.93:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.168 - - [03/Sep/2004:01:25:23 +0200] "CONNECT
200.176.131.2:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.170 - - [03/Sep/2004:01:25:23 +0200] "CONNECT 64.156.215.6:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.151 - - [03/Sep/2004:01:25:24 +0200] "CONNECT 65.54.166.99:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.168 - - [03/Sep/2004:01:25:24 +0200] "CONNECT
193.252.22.143:25 HTTP/1.0" 200 8511 "-" "-"
211.100.24.173 - - [03/Sep/2004:01:25:24 +0200] "CONNECT 64.59.5.99:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.180 - - [03/Sep/2004:01:25:24 +0200] "CONNECT
38.118.152.245:25 HTTP/1.0" 200 8511 "-" "-"
82.80.252.152 - - [03/Sep/2004:01:25:25 +0200] "CONNECT 167.206.5.3:25
HTTP/1.0" 200 8511 "-" "-"
82.80.252.151 - - [03/Sep/2004:01:25:25 +0200] "CONNECT 65.54.252.99:25
HTTP/1.0" 200 8511 "-" "-"
[...]

To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Fri 03 Sep 2004 - 01:59:13 CEST

search this site