[Dshield] Bouncing traffic off host?

Will Boege will_boege at i-tech.com
Fri Jul 26 18:03:39 GMT 2002


No, it is a Wildcat Net server, not anything like Apache.  It is an old
holdover from the BBS days.  When the internet came along, Mustang
software created this package to try to merge BBS's and the internet.
This package is dated circa 1997.  It isn't made anymore as far as I
know, and documentation and security info is tough to come by.
Interestingly enough I see it still being used all over the place for
hosting companies support sites.  I was finally able to transition to a
new system for customer support but I thought that it was an interesting
phenomenon to ask about, as I still get web requests every few minutes
for that machine.

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at sans.org] 
Sent: Friday, July 26, 2002 12:47 PM
To: list at dshield.org
Cc: will_boege at i-tech.com
Subject: Re: [Dshield] Bouncing traffic off host?



This does look like a request to an open proxy. Did this machine have
apache's mod_proxy loaded or something similar?



On Fri, 26 Jul 2002 10:42:46 -0500
"Will Boege" <will_boege at i-tech.com> wrote:

> 
> I have a problem with an old support web server at my company that 
> ironically is being shut down for security reasons.  Recently I 
> noticed outbound connections from that server to port 80 on various 
> IPs. Suspicious since nobody uses this machine for web browsing, I 
> noticed that most of these IP's were related to adult content sites.  
> So I began to look at open ports, etc.. Nothing unusual.  I throughly 
> checked the machine and do not believe it to be comprimised.  I closed

> the firewall off for that port and it began to log connections to port

> 80 from IPs in china, about every 2 minutes.  I sniffed traffic 
> heading for the box and you get a GET request such as this:
> 
> GET http://www.snooply.com/search.php?aid=4079&q=mscarsup HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> Referer: http://www.gamestarsweb.com/new/page/news.htm
> Accept -Language: en
> Accept -Encoding: gzip , deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 
> 4.90)
> Host: www.snooply.com
> Connection: Keep -Alive
> 
> This particular request comes from 061.139.060.089, which Spade tells 
> me
> is:
> inetnum:     61.139.0.0 - 61.139.127.255
> netname:     CHINANET-SC
> descr:       CHINANET Sichuan province network
> descr:       Data Communication Division
> descr:       China Telecom
> country:     CN
> admin-c:     CH93-AP
> tech-c:      XS16-AP
> mnt-by:      MAINT-CHINANET
> mnt-lower:   MAINT-CHINANET-SC
> changed:     hostmaster at ns.chinanet.cn.net 20000601
> source:      APNIC
> 
> The www.gamstarsweb.com is equally suspect:
> Domain Name:gamestarsweb.com
> 
> Registrant:
> wang
>  shanghai
>  200237
>  Öйú
>  
> 
> Administrative Contact:
> wang wei
>  wang
>  shanghai
>  shanghai Shanghai 200237
>  China
>  tel: 86 21 54181811 111
>  fax: 86 21 54181811 111
> 
> The HTTP host that is running on my box is (believe it or not) Wildcat

> BBS Net server, version god knows what.
> 
> The address in the GET line has nothing to do with me.  It appears to 
> be some directing to some referrer program.
> 
> My question is, is it possible to bounce a web request off of an old 
> HTTP host to a different host?  Could someone be bouncing web requests

> of my vulnerable host to gain referrer credits?
> 
> 
> *-*-*-*-*-*-*-*-*-*-*-*-*
> Will J. Boege
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org




More information about the list mailing list