Hi,
I have a small web and mail server and was making a rotinary exam to my websites logs when I saw a very strange access to a page called msa-mx10.hinet.net:25.
This page wasn´t created by me, the browser can´t read it (not strangely, it uses smtp port number) and the ip that accessed it was 218.167.209.231.
This address it belongs to HINET-NET, a Taiwan Company, and a seach over the net led me to very few results, one of them (at DShield) stated:
“->
→ Seems to be a lot of this “HTTP_Connect_Proxy_Bypass_SMTP” attempts lately.
→ They are all coming for “hinet.net” based IP addresses.
→
→ ---------------------------------------------
→ HTTP_Connect_Proxy_Bypass_SMTP, 220.137.78.148,
→ 220-137-78-148.dynamic.hinet.net, 65.x.x.x, ,
→ Proxy_Target=msa-mx10.hinet.net&Port=25
→ ---------------------------------------------
→
→ I am assuming this hack only works if MS SMTP is up and running on a Windows
→ box? We of course do not use MS SMTP, so this activity is useless in our
→ case. Has anyone seem any examples of attempts like that that have
→ succeeded? Has anyone ever reported this activity to “hinet.net” with any
→ response? It seems it would be difficult to block this activity, as it is
→ inbound on TCP 80.”
The article goes on, but i´t´s too large to reproduce here.
I would like to know if everyone has any information about this, and by the way do exam your logs - I found the same page access in 2 sites logs when searching the web, and write a warning to the webmasters.
My personal mail server sent me 3 spam messages, but as I only have 3 users accounts no big dammage from this.
I denied access to hinet.net in my mail server AND in the Comodo firewall, but maybe this case may deserve some attention (or not) if it is some kind of computer hacking from spammers.
Thanks for your attention
Best regards,
A.M.