Security Basics mailing list archives
Re: Strange server behavior.
From: Paul Halliday <paul.halliday () gmail com>
Date: Tue, 28 Dec 2010 16:06:38 -0400
On Tue, Dec 28, 2010 at 3:17 PM, <krymson () gmail com> wrote:
Well, gosh, Paul, based on your last update with the URL/domain examples, I'd definitely see what is new in the code recently. This really looks like some sort of SEO/rank-influencing sort of behavior of some sort, or hit-generating scheme? You might be able to submit some of those URLs to malware/site-scanning engines to see if they cry foul or cry about malware attempting to be submitted. Maybe (Maybe!!!) visit them using Firefox+NoScript and a non-Windows box (or throw-away box/VM) and see what is attempting to run. That may give clues as to what maybe wiggled its way into your site? I don't recommend visiting such links in Windows or IE or a naked Firefox...be careful.
I found the problem. It looks like the GETS are being induced by Blog page visits. Whatever is in the referrer component when the client visits the blog page, the Web Server goes out and hits that same link: 125.162.242.240 - - [23/Dec/2010:02:10:31 -0400] "GET http://www.myhost/blog.aspx HTTP/1.1" - - "http://www.gaydating.mygaycrowd.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3" myhost- - [23/Dec/2010:02:10:31 -0400] "GET http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-" 80.81.159.20 - - [23/Dec/2010:02:40:55 -0400] "GET http://www.myhost/blog.aspx HTTP/1.0" - - "http://www.gaydating.mygaycrowd.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50" myhost - - [23/Dec/2010:02:40:55 -0400] "GET http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-" 187.17.22.6 - - [23/Dec/2010:00:00:40 -0400] "GET http://www.myhost/blog.aspx HTTP/1.0" - - "http://www.mystreetwearfashion.info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50" myhost - - [23/Dec/2010:00:00:40 -0400] "GET http://www.mystreetwearfashion.info/ HTTP/1.1" - - "-" "-" A quick peek at those sources puts all of them on numerous blacklists. Botnet SEO :). Whats interesting is the page requests from the clients are random; they aren't hitting the same blog, or blog entries. The owners of the box tell me that the software is BlogEngine.NET 1.5.07 and that there are no known bugs. Whether this is true or not is another story. Thanks for the suggestions everyone. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Paul Halliday (Dec 28)
- Message not available
- Re: Strange server behavior. Ben (Dec 28)
- <Possible follow-ups>
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. Paul Halliday (Dec 29)
- Re: Strange server behavior. Christian Lauf (Dec 29)