Security Incidents mailing list archives
Re: Hiding the source of the web server scan
From: Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br>
Date: Fri, 18 May 2001 07:18:26 -0300
Greets,
Can anyone tell me what tool is used to accomplish the following?
...
GET http://www.intel.com/ HTTP/1.1\r\n Host: www.intel.com \r\n Accept: */*\r\n Pragma: no-cache:\r\n User-Agent: Mozilla/4.0\r\n \r\n
I'd guess one of two things: 1 - A scan for MS IIS machines, they just throw some trash at a server and when it responds it picks up the server type. 2, which I think is more probable - Someone's scanning for open proxys. I've been getting a large number of scans with HTTP payloads along some common proxy ports (88,1080,3128,8000,8080,8888,etc.) and I can only guess that someone's searching for a few open proxy to fool around with. Either way, it's a tool that's sending the requests you've been getting. Since the 'Host' content field is filled in by the browser or other qualified agent it can also be forged to whatever address you want if you build your own tool so if you check your border logs you'd probably find a different IP than www.intel.com's. Andre. -- Arthur Dent: "What's so unpleasant about being drunk?" Ford Prefect: "You ask a glass of water." - Douglas Noel Adams, 1952 - 2001 - DNA, so long and thanks for all the books -- Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br> Camara Municipal de Sao Jose dos Campos - SP http://www.camarasjc.sp.gov.br
Current thread:
- Hiding the source of the web server scan Bobby, Paul (May 17)
- Re: Hiding the source of the web server scan Hugo van der Kooij (May 18)
- Re: Hiding the source of the web server scan Daniel Martin (May 18)
- Re: Hiding the source of the web server scan Andre Kajita - Administrador da Rede (May 18)