Security Basics mailing list archives
Re: Strange server behavior.
From: Ben <sixtwelveohtwo () gmail com>
Date: Tue, 28 Dec 2010 08:34:48 -0800
Paul, I'm afraid that we'd probably need some more details (some of the URLs in question would be a good start) to try to offer any real insight to what this more likely is. Moderately wild conjecture is probably the most we can offer, otherwise. Fortunately, I'm always happy to postulate rather wildly from such a limited dataset. Since this is a web server and the process making these requests is IIS, it is _possible_ that this is by design. Your developers could be calling partner sites or using using something in their code to pull data from these other URLs. You should presumably see the same behavior on all the other similar web servers, though. If it's just this server and there isn't anything (else) unique about it, then it's probably something else. You might check some of the URLs that it is fetching gainst www.malwaredomainlist.com and see if any of them are known-bad hosts. The missing User-Agent header is possibly the most suspicious item of interest. I would expect even a built-in curl() or something (see earlier possibility) to send this. It has become more and more common for bots to phone home via web applications these days. The most sophisticated ones even using real-world apps like webmail accounts so it wouldn't be surprising if a less sophisticated system was phoning home to a list of C&C servers owned (or compromised) directly by the attackers. You might try to track down where the IP addresses of these domains are located - this could potentially be the most telling piece of information. If you web server would never have any reason to send requests to the Ukraine or South Africa, it's probably time to take it off the network. Frankly, if you have the luxury of taking it off the network while you investigate it a little further, I would promote that strategy. Most of us paranoid delusional security pundits will always tell you to assume the worst. Hope this is helpful! // Ben On Tue, Dec 28, 2010 at 4:51 AM, Paul Halliday <paul.halliday () gmail com> wrote:
I have a server 2003 box running IIS that seems to be walking through URLS. I was looking into this machine for some other odd behavior when I noticed this. This is a live Web server so no one would be on the machine (in the typical sense anyway). Most of the URL's appear to be commercial in nature, but cheesy, like what you would see in SPAM. All that is in the requests is a GET and there is no user agent. On the box, tcpview shows that the requests belong to w3wp.exe. AV scans on the box and malwarebytes are coming up empty. What the heck is this? Thanks. -- Paul Halliday http://www.pintumbler.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Ben (Dec 28)
- <Possible follow-ups>
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. Paul Halliday (Dec 29)
- Re: Strange server behavior. Christian Lauf (Dec 29)