Security Basics mailing list archives

Re: Strange server behavior.

From: Paul Halliday <paul.halliday () gmail com>
Date: Tue, 28 Dec 2010 16:06:38 -0400

On Tue, Dec 28, 2010 at 3:17 PM,  <krymson () gmail com> wrote:

Well, gosh, Paul, based on your last update with the URL/domain examples, I'd definitely see what is new in the code 
recently. This really looks like some sort of SEO/rank-influencing sort of behavior of some sort, or hit-generating 
scheme?

You might be able to submit some of those URLs to malware/site-scanning engines to see if they cry foul or cry about 
malware attempting to be submitted. Maybe (Maybe!!!) visit them using Firefox+NoScript and a non-Windows box (or 
throw-away box/VM) and see what is attempting to run. That may give clues as to what maybe wiggled its way into your 
site?

I don't recommend visiting such links in Windows or IE or a naked Firefox...be careful.


I found the problem. It looks like the GETS are being induced by Blog
page visits. Whatever is in the referrer component when the client
visits the blog page, the Web Server goes out and hits that same link:

125.162.242.240 - - [23/Dec/2010:02:10:31 -0400] "GET
http://www.myhost/blog.aspx HTTP/1.1" - -
"http://www.gaydating.mygaycrowd.com/"; "Mozilla/5.0 (Windows; U;
Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3"

myhost- - [23/Dec/2010:02:10:31 -0400] "GET
http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-"

80.81.159.20 - - [23/Dec/2010:02:40:55 -0400] "GET
http://www.myhost/blog.aspx HTTP/1.0" - -
"http://www.gaydating.mygaycrowd.com/"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; en) Opera 8.50"

myhost - - [23/Dec/2010:02:40:55 -0400] "GET
http://www.gaydating.mygaycrowd.com/ HTTP/1.1" - - "-" "-"

187.17.22.6 - - [23/Dec/2010:00:00:40 -0400] "GET
http://www.myhost/blog.aspx HTTP/1.0" - -
"http://www.mystreetwearfashion.info"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; en) Opera 8.50"

myhost - - [23/Dec/2010:00:00:40 -0400] "GET
http://www.mystreetwearfashion.info/ HTTP/1.1" - - "-" "-"

A quick peek at those sources puts all of them on numerous blacklists.
Botnet SEO :). Whats interesting is the page requests from the clients
are random; they aren't hitting the same blog, or blog entries.
The owners of the box tell me that the software is BlogEngine.NET
1.5.07 and that there are no known bugs. Whether this is true or not
is another story.

Thanks for the suggestions everyone.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Strange server behavior. Paul Halliday (Dec 28)
- Message not available
  - Re: Strange server behavior. Paul Halliday (Dec 28)
- Re: Strange server behavior. Ben (Dec 28)
- <Possible follow-ups>
- Re: Strange server behavior. krymson (Dec 28)
- Re: Strange server behavior. krymson (Dec 28)
  - Re: Strange server behavior. Paul Halliday (Dec 29)
  - Re: Strange server behavior. Christian Lauf (Dec 29)