[Dshield] Odd GET request: clickthru abuse or something else?

Shaun shaun at shaunc.com
Thu Feb 8 05:57:27 GMT 2007


On Wed, 7 Feb 2007 16:13:14 -0600
TRushing at hollandco.com wrote:

> 209.167.50.27 www - - [07/Feb/2007:14:23:48 -0600] "GET 
> /obfuscated/path/non_index.html?DI=293&IG=deadbeef1234567890abcdefdeadbeef&POS=4&CM=WPU&CE=4&CS=AWP&SR=4 
> HTTP/1.1" 200 65972 "www.brandimensions.com" "BDFetch"

209.167.50.27 resolves to lw.seventwentyfour.com. Seventwentyfour is an
uptime monitoring service with a history (though neither a recent nor
egregious history) of spamming.

Normally I'd view a company like that as blackhat, but I see no hits
from that /24 or bearing /brandimensions/i anywhere in the headers in a
~2yr log for one of my personal sites that gets a ton of traffic,
including just about every spider, bot, and rooted box out there; nor
does their /24 appear in any of my maillogs, so my first guess is that
it's not a random request and it's not malicious in nature.

Is it possible that someone in your organization, who is not responsible
for sysadmin duties, has signed up for the Seventwentyfour monitoring
service with your company's URL? This sort of thing can be tough to
track down even in the smallest of companies; at an enterprise level
it's going to be even worse, depending upon how you rotate your maillog.
Having not used them personally, I can't say as to whether or not it may
even be possible for user at example.com to request that they probe
example.net instead, without verification of affiliation with the target
host.

I would suggest running a `grep -i twenty` on your existing maillogs
(catting them through gunzip or whatever first) to see if that trips
anything obvious.

hth

-s


More information about the list mailing list