Security Basics mailing list archives

Re: Strange server behavior.

From: Paul Halliday <paul.halliday () gmail com>
Date: Tue, 28 Dec 2010 12:51:31 -0400

On Tue, Dec 28, 2010 at 12:32 PM, Ben <sixtwelveohtwo () gmail com> wrote:

   Since this is a web server and the process making these requests is IIS,
it is _possible_ that this is by design. Your developers could be calling
partner sites


We don't have partner sites.

 You might check some of the URLs that it is fetching against
www.malwaredomainlist.com and see if any of them are known-bad hosts. The
missing User-Agent header is possibly the most suspicious item of interest.


thehost - - [23/Dec/2010:00:00:25 -0400] "GET
http://www.seomarketingservicesonline.com/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:00:00:40 -0400] "GET
http://www.mystreetwearfashion.info/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:00:01:52 -0400] "GET
http://www.americanwideloans.com/ HTTP/1.1" - - "-" "-"

thehost - - [23/Dec/2010:02:40:55 -0400] "GET
http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:02:45:09 -0400] "GET
http://www.funnyaccidentvideos.net/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:02:51:05 -0400] "GET
http://www.tucsoncharityrealestate.com/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:03:02:53 -0400] "GET
http://www.okbuyfurtunite.com/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:03:18:30 -0400] "GET
http://www.throwbakland.com/ HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:03:32:38 -0400] "GET
http://lovetarot.org/love-tarot-card HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:03:32:38 -0400] "GET
http://lovetarot.org/love-tarot-card/ HTTP/1.1" - - "-" "-"

Some are obvious junk but there are others that are ambiguous:

thehost - - [23/Dec/2010:03:34:37 -0400] "GET
http://www.sertsessizdergi.com/5495/national-currency-of-brazil/brazil-votes-in-a-new-president-they-had-an-election-there-last.html
HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:06:18:43 -0400] "GET
http://www.gather.com/viewArticle.action?articleId=281474978711393
HTTP/1.1" - - "-" "-"
thehost - - [23/Dec/2010:07:00:47 -0400] "GET
http://www.independentpi.com/cgi-bin/forum/YaBB.pl?action=viewprofile;username=jerryriil
HTTP/1.1" - - "-" "-"

I have run all of the core IIS binaries through Virustotal and they
are all clean.

-- 
Paul Halliday
http://www.pintumbler.org

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Strange server behavior. Paul Halliday (Dec 28)
- Message not available
  - Re: Strange server behavior. Paul Halliday (Dec 28)
- Re: Strange server behavior. Ben (Dec 28)
- <Possible follow-ups>
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. krymson (Dec 28)
  - Re: Strange server behavior. Paul Halliday (Dec 29)
  - Re: Strange server behavior. Christian Lauf (Dec 29)