[Dshield] Odd incoming HTTP Request Traffic

Stephane Grobety security at admin.fulgan.com
Fri Aug 12 12:20:40 GMT 2005


Hello reverse,

These are HTTP proxy requests. You say it's comming THROUGH your
firewall ? that most likely means your firewall is misconfigured to
allow incomming connections. Or are these external connections you see
?

More detail, please.

Good luck,
Stephane



Friday, August 12, 2005, 4:22:47 AM, you wrote:



r> Hello - I have consistently been seeing some odd http traffic
r> coming through my firewall. Below are three samples of the HTTP
r> Request Header. We are not any of these domains, but yet they are
r> somehow being refered to us. The only thing common with these
r> requests is the "X-Forwarded-For" command. I was thinking of
r> blocking based on the "X-Forwarded-For" command with some regex
r> code, but I'd like to know why we're seeing these. Does anyone know
r> what's going on?

r> Thanks,
r> Jason

r> GET http://www.thebugs.ws/top/in.php?id=1008 HTTP/1.0
r> Referer: http://www.adrenalinewarez.info
r> Accept: */*
r> Accept-Language: en
r> Pragma: no-cache
r> User-Agent: Mozilla/4.0 (compatible; MSIE 5.02; Windows 98)
r> X-Forwarded-For: 204.151.10.175
r> Host: www.thebugs.ws

r> GET http://www.oday-warez.com/cgi-bin/intellilink/in.cgi?id=1105054720 HTTP/1.0
r> Referer: http://www.oday-warez.com/cgi-bin/intellilink/in.cgi?id=1105054720
r> Accept: */*
r> Accept-Language: en-us
r> Pragma: no-cache
r> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows ME)
r> X-Forwarded-For: 205.157.134.226
r> Host: www.oday-warez.com

r> GET http://www.warezenergy.com/in.php?id=AdrenalineWarez HTTP/1.0
r> Referer: http://www.adrenalinewarez.info
r> Accept: */*
r> Accept-Language: en-us
r> Pragma: no-cache
r> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
r> X-Forwarded-For: 209.124.89.156
r> Host: www.warezenergy.com


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list