Security Basics mailing list archives
Re: Strange server behavior.
From: Paul Halliday <paul.halliday () gmail com>
Date: Tue, 28 Dec 2010 12:51:31 -0400
On Tue, Dec 28, 2010 at 12:32 PM, Ben <sixtwelveohtwo () gmail com> wrote:
Since this is a web server and the process making these requests is IIS, it is _possible_ that this is by design. Your developers could be calling partner sites
We don't have partner sites.
You might check some of the URLs that it is fetching against www.malwaredomainlist.com and see if any of them are known-bad hosts. The missing User-Agent header is possibly the most suspicious item of interest.
thehost - - [23/Dec/2010:00:00:25 -0400] "GET http://www.seomarketingservicesonline.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:00:00:40 -0400] "GET http://www.mystreetwearfashion.info/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:00:01:52 -0400] "GET http://www.americanwideloans.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:02:40:55 -0400] "GET http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:02:45:09 -0400] "GET http://www.funnyaccidentvideos.net/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:02:51:05 -0400] "GET http://www.tucsoncharityrealestate.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:03:02:53 -0400] "GET http://www.okbuyfurtunite.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:03:18:30 -0400] "GET http://www.throwbakland.com/ HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:03:32:38 -0400] "GET http://lovetarot.org/love-tarot-card HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:03:32:38 -0400] "GET http://lovetarot.org/love-tarot-card/ HTTP/1.1" - - "-" "-" Some are obvious junk but there are others that are ambiguous: thehost - - [23/Dec/2010:03:34:37 -0400] "GET http://www.sertsessizdergi.com/5495/national-currency-of-brazil/brazil-votes-in-a-new-president-they-had-an-election-there-last.html HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:06:18:43 -0400] "GET http://www.gather.com/viewArticle.action?articleId=281474978711393 HTTP/1.1" - - "-" "-" thehost - - [23/Dec/2010:07:00:47 -0400] "GET http://www.independentpi.com/cgi-bin/forum/YaBB.pl?action=viewprofile;username=jerryriil HTTP/1.1" - - "-" "-" I have run all of the core IIS binaries through Virustotal and they are all clean. -- Paul Halliday http://www.pintumbler.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Ben (Dec 28)
- <Possible follow-ups>
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. Paul Halliday (Dec 29)
- Re: Strange server behavior. Christian Lauf (Dec 29)