The last few days, I've been 'tail -f'ing (no, it's not what you think) the webserver logs just to see what kind of traffic the server gets. Most of it is internal, lots of spiders and web crawlers, and more than a few crack attempts. Then this morning I saw one I'd never seen before
184.108.40.206 - - [20/Oct/2003:08:31:32 -0400] "CONNECT 220.127.116.11:1337 HTTP/1.0" 200 9612 "-" "-"
netstat or ps didn't reveal anything usual at the time. A lookup of the IP told me the IP address was part of a block registered to Cool Er Ke Ji Ltd in Taipei, Taiwan. A portscan of the offending machine didn't reveal any open ports out of the ordinary.
Well, I'm pretty sure my server is still reasonably secure. A couple of mods to my server config should keep anybody from trying to use it as a proxy server. A lesson to sysadmins: Keep an eye on those logs.