Security Incidents mailing list archives
Re: Chinese HTTP ACKs
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 09 Feb 2005 16:13:53 -0600
On Wed, 2005-02-09 at 10:08 -0800, David Gillett wrote:
I'm seeing a handful of addresses in the 61.143.210.0/23 space periodically send 2-3 ACKs from port 80 to semi-random addresses within our Class B space. The TCP checksum on these packets is incorrect. [...] Anybody else seeing similar?
Not quite. However, we have observed the Sohu Search engine (www.sohu.com) doing some funky stuff. It checks existing pages and non-existing pages (like /abcdefghijklm.html) with GET and HEAD requests. In those requests are tons of really funky cookies. At first glance, I thought the search engine has gone bonkers, or was badly coded. However, certain traits seem more purposeful (like checking for the non-existing page). It appears more of a fingerprinting/recon than a spidering of an existing site. Oh, and they also performed proxy checks (trying GET http://www.sohu.com against the tested hosts). Not really a feature of a search engine either :) These accesses were observed from 61.135.131.0/24 and 220.181.26.0/24. You might want to keep an eye on those subnets. Has anyone else noticed attempts from Sohu or has some more information he can share here? Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: SSH probe attack afoot?, (continued)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Tim (Feb 08)
- Re: SSH probe attack afoot? Frank Knobbe (Feb 08)
- Re: SSH probe attack afoot? Matt Fisher (Feb 09)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Joe Egloff (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 09)
- Chinese HTTP ACKs David Gillett (Feb 09)
- Re: Chinese HTTP ACKs Frank Knobbe (Feb 09)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)