Security Incidents mailing list archives
Re: foreign HTTP requests
From: ddoc () MIA CZ (Daniel Dočekal)
Date: Thu, 15 Jun 2000 22:39:19 +0200
I installed "404" handler on our web servers and from that time see something that I cannot 100% explain: several times per day we get requests for a totally different web-server. I.e. for example a request to a valid URL on lwn.net, sometimes to some java class on some server etc. Requests are received from different IPs, different User-Agents, sometimes from proxy IPs and so on. Often the User-Agent:'s are strange, but otherwise the headers don't look like they were spoofed.
We are experiencing the same things - these are THOUSANDS of wrong request for perfectly legal content from different servers. I have reported this as BUG to Microsoft long time ago, but i have NEVER get any response. It is a BUG of _browsers_ in my opinion who are sending request to wrong IP adresses - my guess is that it happens at moment of chaning from one server to another.
Can this be scanning for open proxies? (the headers look too realistic and different to believe that they are generated by a scanner) May be this is a known bug in DNS servers? If someone is exploiting it for some other reason - for which? A few sample requests follow. #1) datetime: 14/06/2000 21:34:41 SERVER_NAME:www.lwn.net QUERY_STRING: 404;http://www.lwn.net/daily/ssh.php3 Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: www.lwn.net User-Agent: EmailSiphon Cookie: jrunsessionid=96100716990480607; path=/ REMOTE_ADDR: [yyy.yyy.yyy] REMOTE_HOST: 193.251.45.224 REMOTE_PORT: 2410 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET #2) datetime: 13/06/2000 05:17:21 SERVER_NAME:community.cnn.com QUERY_STRING: 404;http://community.cnn.com/cgi-bin/WebX?14@128.EMbcc5YmsuQ^0 @.ee7b4aa/98809 Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: community.cnn.com User-Agent: Mozilla/b0.4 Cookie: WEBTRENDS_ID=167.206.58.40-3717060432.29349083; expires=Fri, 31-Dec-2010 00:00:00 GMT; path=/ REMOTE_ADDR: [xxx.xxx.xxx.xxx] REMOTE_HOST: [xxx.xxx.xxx.xxx] REMOTE_PORT: 2938 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET #3) datetime: 14/06/2000 07:29:27 SERVER_NAME:chineseculture.about.com QUERY_STRING: 404;http://chineseculture.about.com/library/chinese/arts/libra ry/extra/idiom/blidiom.htm Accept: www/source, text/html, video/mpeg, image/jpeg, image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*, application/postscript Host: chineseculture.about.com User-Agent: Mozilla/3.Mozilla/2.01 (Win95; I) Cookie: session-id-time=961574400; path=/; domain=.amazon.com; expires=Wednesday, 21-Jun-2000 08:00:00 GMT REMOTE_ADDR: [zzz.zzz.zzz.zzz] REMOTE_HOST: [zzz.zzz.zzz.zzz] REMOTE_PORT: 2895 HTTP_PROXY_CONNECTION: HTTP_REFERER (forDirectCall): REQUEST_METHOD (forDirectCall): GET -- Best Regards Vladimir Ivaschenko Francoudi & Stephanou Ltd.
Current thread:
- Re: foreign HTTP requests Daniel Dočekal (Jun 15)
- Re: foreign HTTP requests Nicolas GREGOIRE (Jun 16)
- <Possible follow-ups>
- Re: foreign HTTP requests Daniel Docekal (Jun 16)
- Re: foreign HTTP requests Nicolas GREGOIRE (Jun 20)
- Re: foreign HTTP requests Sevo Stille (Jun 20)
- Re: foreign HTTP requests Daniel Dočekal (Jun 20)
- Re: foreign HTTP requests Bjorn Djupvik (Jun 20)
- Re: foreign HTTP requests Nicolas GREGOIRE (Jun 22)
- Re: foreign HTTP requests Vladimir Ivaschenko (Jun 22)
- Re: foreign HTTP requests Bjorn Djupvik (Jun 23)
- 8.2.2-P5 stops answering queries? Daniel Ramirez (Jun 22)
- Re: foreign HTTP requests Nicolas GREGOIRE (Jun 22)
(Thread continues...)