[Dshield] Bouncing traffic off host?
tliston at premmag.com
Fri Jul 26 16:46:25 GMT 2002
What you've got is a webserver acting as a proxy, and it's obviously
been discovered and "publicized" in some manner and is being used.
Most webservers can be configured to "proxy" requests, meaning that
you can send it a request for a different URL and it will go and
fetch the content at that URL and deliver it back to you. Publicly
accessible machines SHOULD NOT be set up to proxy.
Shut it down.
On 26 Jul 2002 at 10:42, Will Boege wrote:
> I have a problem with an old support web server at my company that
> ironically is being shut down for security reasons. Recently I noticed
> outbound connections from that server to port 80 on various IPs.
> Suspicious since nobody uses this machine for web browsing, I noticed
> that most of these IP's were related to adult content sites. So I began
> to look at open ports, etc.. Nothing unusual. I throughly checked the
> machine and do not believe it to be comprimised. I closed the firewall
> off for that port and it began to log connections to port 80 from IPs in
> china, about every 2 minutes. I sniffed traffic heading for the box and
> you get a GET request such as this:
> GET http://www.snooply.com/search.php?aid=4079&q=mscarsup HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> Referer: http://www.gamestarsweb.com/new/page/news.htm
> Accept -Language: en
> Accept -Encoding: gzip , deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
> Host: www.snooply.com
> Connection: Keep -Alive
> This particular request comes from 061.139.060.089, which Spade tells me
> inetnum: 22.214.171.124 - 126.96.36.199
> netname: CHINANET-SC
> descr: CHINANET Sichuan province network
> descr: Data Communication Division
> descr: China Telecom
> country: CN
> admin-c: CH93-AP
> tech-c: XS16-AP
> mnt-by: MAINT-CHINANET
> mnt-lower: MAINT-CHINANET-SC
> changed: hostmaster at ns.chinanet.cn.net 20000601
> source: APNIC
> The www.gamstarsweb.com is equally suspect:
> Domain Name:gamestarsweb.com
> Administrative Contact:
> wang wei
> shanghai Shanghai 200237
> tel: 86 21 54181811 111
> fax: 86 21 54181811 111
> The HTTP host that is running on my box is (believe it or not) Wildcat
> BBS Net server, version god knows what.
> The address in the GET line has nothing to do with me. It appears to be
> some directing to some referrer program.
> My question is, is it possible to bounce a web request off of an old
> HTTP host to a different host? Could someone be bouncing web requests
> of my vulnerable host to gain referrer credits?
> Will J. Boege
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Tom Liston, GSEC
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net
More information about the list