Security Incidents mailing list archives
foreign HTTP requests
From: hazard.bsn () CYP MAKS NET (Vladimir Ivaschenko)
Date: Thu, 15 Jun 2000 10:21:33 +0400
Hello all, I installed "404" handler on our web servers and from that time see something that I cannot 100% explain: several times per day we get requests for a totally different web-server. I.e. for example a request to a valid URL on lwn.net, sometimes to some java class on some server etc. Requests are received from different IPs, different User-Agents, sometimes from proxy IPs and so on. Often the User-Agent:'s are strange, but otherwise the headers don't look like they were spoofed. Can this be scanning for open proxies? (the headers look too realistic and different to believe that they are generated by a scanner) May be this is a known bug in DNS servers? If someone is exploiting it for some other reason - for which? A few sample requests follow. #1) datetime: 14/06/2000 21:34:41 SERVER_NAME:www.lwn.net QUERY_STRING: 404;http://www.lwn.net/daily/ssh.php3 Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: www.lwn.net User-Agent: EmailSiphon Cookie: jrunsessionid=96100716990480607; path=/ REMOTE_ADDR: [yyy.yyy.yyy] REMOTE_HOST: 193.251.45.224 REMOTE_PORT: 2410 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET #2) datetime: 13/06/2000 05:17:21 SERVER_NAME:community.cnn.com QUERY_STRING: 404;http://community.cnn.com/cgi-bin/WebX?14@128.EMbcc5YmsuQ^0@.ee7b4aa/98809 Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: community.cnn.com User-Agent: Mozilla/b0.4 Cookie: WEBTRENDS_ID=167.206.58.40-3717060432.29349083; expires=Fri, 31-Dec-2010 00:00:00 GMT; path=/ REMOTE_ADDR: [xxx.xxx.xxx.xxx] REMOTE_HOST: [xxx.xxx.xxx.xxx] REMOTE_PORT: 2938 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET #3) datetime: 14/06/2000 07:29:27 SERVER_NAME:chineseculture.about.com QUERY_STRING: 404;http://chineseculture.about.com/library/chinese/arts/library/extra/idiom/blidiom.htm Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: chineseculture.about.com User-Agent: Mozilla/3.Mozilla/2.01 (Win95; I) Cookie: session-id-time=961574400; path=/; domain=.amazon.com; expires=Wednesday, 21-Jun-2000 08:00:00 GMT REMOTE_ADDR: [zzz.zzz.zzz.zzz] REMOTE_HOST: [zzz.zzz.zzz.zzz] REMOTE_PORT: 2895 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET -- Best Regards Vladimir Ivaschenko Francoudi & Stephanou Ltd.
Current thread:
- Biggest Incident This Week: Missing Hard Drives at Los Alamos Dante Mercurio (Jun 13)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Joe Dark (Jun 14)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Benjamin Setnick (Jun 14)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Eric the Fruitbat (Jun 15)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Daniel K. Boyd (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Eric Johnson (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Pierre Vandevenne (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Ejovi Nuwere (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Eric the Fruitbat (Jun 15)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Kee Hinckley (Jun 14)
- foreign HTTP requests Vladimir Ivaschenko (Jun 14)
- Re: foreign HTTP requests Pavel Kankovsky (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Slam (Jun 15)