Security Incidents mailing list archives
Re: Hiding the source of the web server scan
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Fri, 18 May 2001 07:49:46 +0200 (CEST)
On Thu, 17 May 2001, Bobby, Paul wrote:
Can anyone tell me what tool is used to accomplish the following? The port scans I see for web servers are followed up with the following series of commands: GET http://www.intel.com/ HTTP/1.1\r\n Host: www.intel.com \r\n Accept: */*\r\n Pragma: no-cache:\r\n User-Agent: Mozilla/4.0\r\n \r\n www.intel.com is sometimes replaced with www.yahoo.com or whatever address.
So you run the webservers for www.intel.com and/or www.yahoo.com?
The port scan itself is of course detected by my perimeter security, the web server log I presume always logs that the source was www.intel.com.
Wrong assumption. The Host: www.intel.com line is to indicate the virtual server you want to reach with the get command. Sounds like someone is trying to use your website as a proxy. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
Current thread:
- Hiding the source of the web server scan Bobby, Paul (May 17)
- Re: Hiding the source of the web server scan Hugo van der Kooij (May 18)
- Re: Hiding the source of the web server scan Daniel Martin (May 18)
- Re: Hiding the source of the web server scan Andre Kajita - Administrador da Rede (May 18)