[Dshield] site scanning

William Sipila william at osource.com
Thu Aug 16 20:28:02 GMT 2001


now that code red is finally playing out (or at least the media portion of
it is; some of my servers are still being hit frequently), i have a
question...

for the past few months, and with growing frequency, i am seeing very
strange HTTP GET URLs in my web logs.  it appears to be some sort of probe,
possibly even some sort of web server-based trojan recognition/command
string?  i really don't know.

here's my (admittedly newbie) analysis:

when i see this in the logs, i nearly always find an identical string in all
of our webservers - the only exception is sometimes the URL contains the IP
of the target machine, in which case, that would be the only difference - so
the scanning is being done sequentially.  i figured they might be hitting
other servers near but not in our IP block, so i emailed our ISP, but they
never responded to any emails that i sent them (other than with an
autoresponder -- does anyone respond to anything anymore???  sheesh).

99% of these are 404s, yet you see the exact same string further down the
logs sometimes - it's still a 404...  not only that, but the browser
footprint changes with almost every hit; some of which i'm sure don't really
exist, which leads me to believe that this is some sort of probing tool that
is trying to diguise itself by rotating the browser footprints and referrer
(i've also tried to check out a portion of the HTTP_REFERRER links, but i
have not found a link to our server at any of those places).  it seems like
it was supposed to blend these in with normal web traffic, although this
particular set of servers are such low traffic that the activity sticks out
like a sore thumb.

at first i thought it was a proxy cache misdirecting traffic to our IPs, but
after i brought the 2nd web server online and saw the same GET strings in
both server logs, i tossed that idea out.  then i was thinking about the
code red worm this weekend and thought that: what if you were able to
install a trojan onto a web server (the way code red did) and then you could
have it recognize seemingly innocuous GET (sub-)strings as being certain
commands...  anyway, maybe i'm just way too paranoid...  :)

here's log clippings from 2 day period last month:  if this linewraps into
oblivion, sorry about that... i also have a slightly longer version (6 days)
at http://alpha.osource.com/log_excerpt.txt

2001-07-19 01:00:08 1Cust206.tnt11.west-houston2.tx.da.uu.net - GET
/bfast/serve bfmid=37919069&siteid=38406013&bfpage=s-box7 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+98)
http://javascript.00go.com/index.html
2001-07-19 06:36:47 1Cust214.tnt4.west-houston2.tx.da.uu.net - GET
/yeem/webad/ads.cgi member=jling;page=01 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+95)
http://javascript.00go.com/index.html
2001-07-19 08:41:55 1Cust214.tnt4.west-houston2.tx.da.uu.net - GET
/bfast/serve bfmid=253985&bfsiteid=38403731&bfpage=homelink3 404
Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+98)
http://americanonetone.com/English/default.htm
2001-07-19 09:50:29 pD950332E.dip.t-dialin.net - GET
/bannerrotation/exit/count.asp id=3494 404 Mozilla/4.5+[en]+(Win98;+I)
http://www.tomscash.de
2001-07-19 09:50:52 1Cust214.tnt4.west-houston2.tx.da.uu.net - GET
/site=21767/size=88031/bnum=97990204/bins=1/rich=0 - 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+98)
http://americanonetone.com/English/default.htm
2001-07-19 12:59:48 pD950332E.dip.t-dialin.net - GET
/bannerrotation/exit/count.asp id=3494 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://www.tomscash.de
2001-07-19 14:01:14 c-938671d5.02-40-73746f21.cust.bredbandsbolaget.se - GET
/cgi-bin/prxjdg2.cgi - 404 Mozilla/4.7+[en]+(Win98;+I) -
2001-07-19 14:01:14 c-938671d5.02-40-73746f21.cust.bredbandsbolaget.se -
HEAD /ddg/DDG/homepage/html/hom.html - 404 - -
2001-07-19 19:05:55 akgk55l3y549h.bc.hsia.telus.net - GET /bfast/click
bfmid=20810152&siteid=38522217 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://jurisdiction
2001-07-20 06:51:34 pD9006524.dip.t-dialin.net - GET
/bannerrotation/exit/count.asp id=3580 404
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+98) http://www.partylines.de
2001-07-20 07:03:43 pD9006524.dip.t-dialin.net - GET
/maxtool/toplist/topsites.php3
uid=2693&aid=267&Category=Miscellaneous&ID=784 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://www.zukunfts-plan.de
2001-07-20 07:40:04 pD9006524.dip.t-dialin.net - GET /exit/1117989 - 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.en-us http://www.xxxteen.de
2001-07-20 07:51:18 1Cust228.tnt2.west-houston2.tx.da.uu.net - GET
/site=21767/size=88031/bnum=97990204/bins=1/rich=0 - 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
http://americanonetone.com/English/default.htm
2001-07-20 08:04:19 pD9006524.dip.t-dialin.net - GET /exit/1117989 - 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://www.xxxteen.de
2001-07-20 08:29:50 pD9006524.dip.t-dialin.net - GET
/bannerrotation/exit/count.asp id=3580 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+98) http://www.partylines.de
2001-07-20 09:30:33 pD9006524.dip.t-dialin.net - GET
/bannerrotation/exit/count.asp id=3580 404 Mozilla/4.75+[en]+(Win98;+I)
http://www.partylines.de
2001-07-20 10:11:15 pD9006524.dip.t-dialin.net - GET /exit/1117989 - 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT) http://www.xxxteen.de
2001-07-20 10:46:01 pD9006524.dip.t-dialin.net - GET
/maxtool/toplist/topsites.php3
uid=2693&aid=267&Category=Miscellaneous&ID=784 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://www.zukunfts-plan.de
2001-07-20 12:33:39 1Cust228.tnt2.west-houston2.tx.da.uu.net - GET
/yeem/webad/ads.cgi member=jling;page=01 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+98)
http://javascript.00go.com/index.html
2001-07-20 13:37:28 1Cust86.tnt6.west-houston2.tx.da.uu.net - GET
/bfast/serve bfmid=253985&bfsiteid=38403731&bfpage=homelink4 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+95)
http://americanonetone.com/English/default.htm
2001-07-20 15:49:52 1Cust52.tnt2.west-houston2.tx.da.uu.net - GET
/bfast/serve bfmid=37919069&siteid=38406013&bfpage=s-box7 404
Mozilla/4.0+(compatible;+MSIE+5.02;+Windows+98)
http://javascript.00go.com/index.html
2001-07-20 18:56:15 pD9006502.dip.t-dialin.net - GET /bin/z_ct_ppv.dll
42650C1865691188 404 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
http://www.bayern-bb.de
2001-07-20 19:17:20 pD9006502.dip.t-dialin.net - GET /bin/z_ct_ppv.dll
20106+719452928 404 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
http://www.aktienbrief24.de
2001-07-20 19:17:34 pD9006502.dip.t-dialin.net - GET /bin/z_ct_ppv.dll
20108+50891584 404 Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+NT)
http://www.aktienbrief24.de
2001-07-20 20:14:20 pD9006502.dip.t-dialin.net - GET /fs-bin/show
id=ekRInfUVIsU&bids=27687&type=3&subid=0 404
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) http://www.tomscash.de


thanks for your help & ideas.  - will

--\/------------------------------------------------------------ 
    Developer/SysAdmin, OUTSOURCE Consulting Services, Inc. 
    william at osource.com | www.osource.com 
--/\------------------ 




More information about the list mailing list