Security Incidents mailing list archives

Re: Chinese HTTP ACKs

From: Peter Kerr <p.kerr () auckland ac nz>
Date: 10 Feb 2005 14:46:22 -0000

In-Reply-To: <1107987233.679.89.camel@localhost>

From: Frank Knobbe <frank () knobbe us>
In-Reply-To: <00f101c50ed2$56e35ff0$646f1299@HURON>
Date: Wed, 09 Feb 2005 16:13:53 -0600

...

Oh, and they also performed proxy checks (trying GET http://

www.sohu.com

against the tested hosts). Not really a feature of a search engine
either :)

These accesses were observed from 61.135.131.0/24 and

220.181.26.0/24.


You might want to keep an eye on those subnets. Has anyone else

noticed

attempts from Sohu or has some more information he can share

here?


61.128.234.194 - - [31/Jan/2005:19:12:34 +1300] "GET http://
www.sina.com.cn/ HTTP/1.1" 200 1090

Just the one GET, no other probing, also once each on 28 & 29 Jan.
There have been bots from all places except .cn looking thru my index 
structure. I just assumed this guy was looking for an open proxy, didn't 
find it & went away.

Current thread:

Re: Chinese HTTP ACKs Peter Kerr (Feb 10)
- Re: Chinese HTTP ACKs Kelsey Dawes (Feb 11)