[Dshield] Bouncing traffic off host?

Witt, Allen DAVID.A.WITT at saic.com
Fri Jul 26 20:10:18 GMT 2002

Looks like your network's been mapped and a proxy has been discovered. Would
consider 2 things....

First, if you're into honey pots, the address would be a prime candidate for
use with it.

Second, you have to assume that your entire net (at least the public part of
it) has been mapped, which means that more addresses may be interesting to
the hackers/crackers/script kiddies. Intensively monitor your net for
additional strange accesses and consider re-iping the prime targets that you

I monitor a once open network, and you'd be surprised how many of the old
public addresses keep getting hits - even when there's no longer anything
there to hit.

Allen Witt, Network Security Administrator

-----Original Message-----
From: Will Boege [mailto:will_boege at i-tech.com]
Sent: Friday, July 26, 2002 11:43 AM
To: list at dshield.org
Subject: [Dshield] Bouncing traffic off host?

I have a problem with an old support web server at my company that
ironically is being shut down for security reasons.  Recently I noticed
outbound connections from that server to port 80 on various IPs.
Suspicious since nobody uses this machine for web browsing, I noticed
that most of these IP's were related to adult content sites.  So I began
to look at open ports, etc.. Nothing unusual.  I throughly checked the
machine and do not believe it to be comprimised.  I closed the firewall
off for that port and it began to log connections to port 80 from IPs in
china, about every 2 minutes.  I sniffed traffic heading for the box and
you get a GET request such as this:

GET http://www.snooply.com/search.php?aid=4079&q=mscarsup HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://www.gamestarsweb.com/new/page/news.htm
Accept -Language: en
Accept -Encoding: gzip , deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
Host: www.snooply.com
Connection: Keep -Alive

This particular request comes from, which Spade tells me
inetnum: -
netname:     CHINANET-SC
descr:       CHINANET Sichuan province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      XS16-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-CHINANET-SC
changed:     hostmaster at ns.chinanet.cn.net 20000601
source:      APNIC

The www.gamstarsweb.com is equally suspect:
Domain Name:gamestarsweb.com


Administrative Contact: 
wang wei
 shanghai Shanghai 200237
 tel: 86 21 54181811 111
 fax: 86 21 54181811 111

The HTTP host that is running on my box is (believe it or not) Wildcat
BBS Net server, version god knows what.

The address in the GET line has nothing to do with me.  It appears to be
some directing to some referrer program.

My question is, is it possible to bounce a web request off of an old
HTTP host to a different host?  Could someone be bouncing web requests
of my vulnerable host to gain referrer credits?

Will J. Boege

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list