Re: Hiding the source of the web server scan

[Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br>]

Greets,

> Can anyone tell me what tool is used to accomplish the following?
...
> GET http://www.intel.com/ HTTP/1.1\r\n
> Host: www.intel.com \r\n
> Accept: */*\r\n
> Pragma: no-cache:\r\n
> User-Agent: Mozilla/4.0\r\n
> \r\n

I'd guess one of two things:

1 - A scan for MS IIS machines, they just throw some trash at a server
and when it responds it picks up the server type.

2, which I think is more probable - Someone's scanning for open
proxys.  I've been getting a large number of scans with HTTP payloads
along some common proxy ports (88,1080,3128,8000,8080,8888,etc.) and I
can only guess that someone's searching for a few open proxy to fool
around with.

Either way, it's a tool that's sending the requests you've been
getting.  Since the 'Host' content field is filled in by the browser
or other qualified agent it can also be forged to whatever address you
want if you build your own tool so if you check your border logs you'd
probably find a different IP than www.intel.com's.

Andre.
-- 
Arthur Dent: "What's so unpleasant about being drunk?"
Ford Prefect: "You ask a glass of water." 
- Douglas Noel Adams, 1952 - 2001
- DNA, so long and thanks for all the books
--
Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br>
Camara Municipal de Sao Jose dos Campos - SP
http://www.camarasjc.sp.gov.br