[Dshield] Odd incoming HTTP Request Traffic

Glenn Jarvis gaj at uppergroove.ca
Fri Aug 12 12:57:16 GMT 2005


>
>
>Hello - I have consistently been seeing some odd http traffic coming through my firewall. Below are three samples of the HTTP Request Header. We are not any of these domains, but yet they are somehow being refered to us. The only thing common with these requests is the "X-Forwarded-For" command. I was thinking of blocking based on the "X-Forwarded-For" command with some regex code, but I'd like to know why we're seeing these. Does anyone know what's going on?
>
>Thanks,
>Jason
>
>GET http://www.thebugs.ws/top/in.php?id=1008 HTTP/1.0
>Referer: http://www.adrenalinewarez.info
>Accept: */*
>Accept-Language: en
>Pragma: no-cache
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.02; Windows 98)
>X-Forwarded-For: 204.151.10.175
>Host: www.thebugs.ws
>
>GET http://www.oday-warez.com/cgi-bin/intellilink/in.cgi?id=1105054720 HTTP/1.0
>Referer: http://www.oday-warez.com/cgi-bin/intellilink/in.cgi?id=1105054720
>Accept: */*
>Accept-Language: en-us
>Pragma: no-cache
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows ME)
>X-Forwarded-For: 205.157.134.226
>Host: www.oday-warez.com
>
>GET http://www.warezenergy.com/in.php?id=AdrenalineWarez HTTP/1.0
>Referer: http://www.adrenalinewarez.info
>Accept: */*
>Accept-Language: en-us
>Pragma: no-cache
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
>X-Forwarded-For: 209.124.89.156
>Host: www.warezenergy.com
>
Hi Jason,
My server receives hits from these sites daily. They are pirate/cracker 
sites.
You'll probably see another from 0day-eastgate at some point, including 
a vareity of others.

Glenn

-- 
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.



More information about the list mailing list