Topic: "funny" entries in access_log

[Per Smith]

Hello all

I have some funny entries in my access_log in e-smith.
The entries looks similar to this:
www.MyDomain.com 64.146.105.180 - - [01/Dec/2002:04:43:28 +0100] "CONNECT 65.54.253.230:25 HTTP/1.0" 200 3203 "-" "-"

The IP adresses changes with each line.

Is this some kind of security issue?
Does someone use my server to relay or send DoS attacks?

Best regards
Per Smith

[Jens Kruuse]

I'd like to second that query.

I get new ones every 20 seconds or so. As far as I can tell from Googling somebody (in Per's case: 64.146.105.180) is trying to establish an SMTP connection to a mailserver (65.54.253.230) through Apache.

There are corresponding "Lame server" entries in the message log. One every 20 secs.

My "attacks" are rotated:

www.faithful.dk 170.215.248.147 - - [12/Dec/2002:11:59:55 +0100] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 43491 "-" "-"
www.faithful.dk 170.215.248.147 - - [12/Dec/2002:12:00:15 +0100] "CONNECT mx2.hotmail.com:25 HTTP/1.0" 200 43491 "-" "-"
www.faithful.dk 170.215.248.147 - - [12/Dec/2002:12:00:35 +0100] "CONNECT smtp-gw-4.msn.com:25 HTTP/1.0" 200 43491 "-" "-"
www.faithful.dk 170.215.248.147 - - [12/Dec/2002:12:00:55 +0100] "CONNECT mx4.mail.yahoo.com:25 HTTP/1.0" 200 3765 "-" "-"

Looks like somebody wants to overwhelm aol, hotmail, msn, and yahoo? (I assume they are using more than my server).

Cheers,
Jens

[Jens Kruuse]

I got tired of the junk filling up my log, so I blocked his IP in the router. Doable as long as only one guy is actively persuing this mode of "attack".

/Jens

[Per Smith]

I did some tracking

It seems that IP 65.54.253.230 resolves to "mc8.law1.hotmail.com" and it's also more or less the same IP's which are being connected to.
I would say that around 90% of the entries ends in a *.hotmail.com domain.

I also noticed that the "atacker" hasn't got the same IP every time, but most of the entries comes from the same subnet, so my guess is that he has a dynamic IP.

Does anybody know how to stop this kind of attacks?
Do I need some kind of patch for Apache?

Best regards
Per Smith

[Charlie Brady]

Per Smith wrote:
>
> I did some tracking
>
> It seems that IP 65.54.253.230 resolves to
> "mc8.law1.hotmail.com" and it's also more or less the same
> IP's which are being connected to.
> I would say that around 90% of the entries ends in a
> *.hotmail.com domain.

Note that this doesn't mean that the IPs are in any way related to hotmail.com. It just means that the owner of the IPs is able to create reverse DNS records that point the blame towards hotmail.

Note also that mc8.law1.hotmail.com does not resolve.

Charlie

[Damien Curtain]

Charlie Brady wrote:
>
> Per Smith wrote:
> >
> > I did some tracking
> >
> > It seems that IP 65.54.253.230 resolves to
> > "mc8.law1.hotmail.com" and it's also more or less the same
> > IP's which are being connected to.
> > I would say that around 90% of the entries ends in a
> > *.hotmail.com domain.
>
> Note that this doesn't mean that the IPs are in any way
> related to hotmail.com. It just means that the owner of the
> IPs is able to create reverse DNS records that point the
> blame towards hotmail.

It's easy to find out who owns that ip though....

OrgName:    Microsoft Corp
OrgID:      MSFT

NetRange:   65.52.0.0 - 65.55.255.255
CIDR:       65.52.0.0/14



TechHandle: ZM23-ARIN
TechName:   Microsoft Corporation
TechPhone:  +1-425-882-8080
TechEmail:  noc@microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  iprrms@microsoft.com

# ARIN Whois database, last updated 2002-12-13 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

email abuse@microsoft.com, if that address exists...

> Note also that mc8.law1.hotmail.com does not resolve.

How suprising...
--
 Damien