[Dshield] Bouncing traffic off host?

Johannes Ullrich jullrich at sans.org
Fri Jul 26 17:47:21 GMT 2002


This does look like a request to an open proxy. Did this machine have apache's mod_proxy loaded or something similar?



On Fri, 26 Jul 2002 10:42:46 -0500
"Will Boege" <will_boege at i-tech.com> wrote:

> 
> I have a problem with an old support web server at my company that
> ironically is being shut down for security reasons.  Recently I noticed
> outbound connections from that server to port 80 on various IPs.
> Suspicious since nobody uses this machine for web browsing, I noticed
> that most of these IP's were related to adult content sites.  So I began
> to look at open ports, etc.. Nothing unusual.  I throughly checked the
> machine and do not believe it to be comprimised.  I closed the firewall
> off for that port and it began to log connections to port 80 from IPs in
> china, about every 2 minutes.  I sniffed traffic heading for the box and
> you get a GET request such as this:
> 
> GET http://www.snooply.com/search.php?aid=4079&q=mscarsup HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> Referer: http://www.gamestarsweb.com/new/page/news.htm
> Accept -Language: en
> Accept -Encoding: gzip , deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
> Host: www.snooply.com
> Connection: Keep -Alive
> 
> This particular request comes from 061.139.060.089, which Spade tells me
> is:
> inetnum:     61.139.0.0 - 61.139.127.255
> netname:     CHINANET-SC
> descr:       CHINANET Sichuan province network
> descr:       Data Communication Division
> descr:       China Telecom
> country:     CN
> admin-c:     CH93-AP
> tech-c:      XS16-AP
> mnt-by:      MAINT-CHINANET
> mnt-lower:   MAINT-CHINANET-SC
> changed:     hostmaster at ns.chinanet.cn.net 20000601
> source:      APNIC
> 
> The www.gamstarsweb.com is equally suspect:
> Domain Name:gamestarsweb.com
> 
> Registrant: 
> wang
>  shanghai
>  200237
>  Öйú
>  
> 
> Administrative Contact: 
> wang wei
>  wang
>  shanghai
>  shanghai Shanghai 200237
>  China
>  tel: 86 21 54181811 111
>  fax: 86 21 54181811 111
> 
> The HTTP host that is running on my box is (believe it or not) Wildcat
> BBS Net server, version god knows what.
> 
> The address in the GET line has nothing to do with me.  It appears to be
> some directing to some referrer program.
> 
> My question is, is it possible to bounce a web request off of an old
> HTTP host to a different host?  Could someone be bouncing web requests
> of my vulnerable host to gain referrer credits?
> 
> 
> *-*-*-*-*-*-*-*-*-*-*-*-*
> Will J. Boege
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org




More information about the list mailing list