[Dshield] Bouncing traffic off host?

Will Boege will_boege at i-tech.com
Fri Jul 26 15:42:46 GMT 2002

I have a problem with an old support web server at my company that
ironically is being shut down for security reasons.  Recently I noticed
outbound connections from that server to port 80 on various IPs.
Suspicious since nobody uses this machine for web browsing, I noticed
that most of these IP's were related to adult content sites.  So I began
to look at open ports, etc.. Nothing unusual.  I throughly checked the
machine and do not believe it to be comprimised.  I closed the firewall
off for that port and it began to log connections to port 80 from IPs in
china, about every 2 minutes.  I sniffed traffic heading for the box and
you get a GET request such as this:

GET http://www.snooply.com/search.php?aid=4079&q=mscarsup HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://www.gamestarsweb.com/new/page/news.htm
Accept -Language: en
Accept -Encoding: gzip , deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
Host: www.snooply.com
Connection: Keep -Alive

This particular request comes from, which Spade tells me
inetnum: -
netname:     CHINANET-SC
descr:       CHINANET Sichuan province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      XS16-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-CHINANET-SC
changed:     hostmaster at ns.chinanet.cn.net 20000601
source:      APNIC

The www.gamstarsweb.com is equally suspect:
Domain Name:gamestarsweb.com


Administrative Contact: 
wang wei
 shanghai Shanghai 200237
 tel: 86 21 54181811 111
 fax: 86 21 54181811 111

The HTTP host that is running on my box is (believe it or not) Wildcat
BBS Net server, version god knows what.

The address in the GET line has nothing to do with me.  It appears to be
some directing to some referrer program.

My question is, is it possible to bounce a web request off of an old
HTTP host to a different host?  Could someone be bouncing web requests
of my vulnerable host to gain referrer credits?

Will J. Boege

More information about the list mailing list