Security Incidents mailing list archives

Hiding the source of the web server scan

From: "Bobby, Paul" <paul.bobby () lmco com>
Date: Thu, 17 May 2001 11:47:50 -0400

Can anyone tell me what tool is used to accomplish the following?

The port scans I see for web servers are followed up with the following
series of commands:

GET http://www.intel.com/ HTTP/1.1\r\n
Host: www.intel.com \r\n
Accept: */*\r\n
Pragma: no-cache:\r\n
User-Agent: Mozilla/4.0\r\n
\r\n

www.intel.com is sometimes replaced with www.yahoo.com or whatever address.

The port scan itself is of course detected by my perimeter security, the web
server log I presume always logs that the source was www.intel.com.

No big deal, just that I'm seeing a lot of these recently.

=========
Paul Bobby
<dream> Got Root? </dream>

Current thread:

Hiding the source of the web server scan Bobby, Paul (May 17)
- Re: Hiding the source of the web server scan Hugo van der Kooij (May 18)
- Re: Hiding the source of the web server scan Daniel Martin (May 18)
- Re: Hiding the source of the web server scan Andre Kajita - Administrador da Rede (May 18)