Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: foreign HTTP requests

From: Vladimir Ivaschenko <hazard () FRANCOUDI COM>
Date: Wed, 26 Jul 2000 18:44:04 +0300
It seems that I have tracked this problem down - after I disabled keep-alive
(IIS 5.0 on Windows 2000), I haven't got any wrong requests for several days
now.

Vladimir Ivaschenko wrote:


Nicolas GREGOIRE wrote:


Here are the kinds of Host requested :
4 are trying to hit a host hosted on this web server (all "GET /
HTTP/1.0"),
6 are trying to hit a host NOT hosted on this web server (all requesting
non-existing documents on this server).

Here are the kinds of User-Agent :
6 User-Agent like "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)",
1 User-Agent like "Mozilla/3.0 (compatible)",
1 User-Agent like "Mozilla (X11; I; Linux 2.0.32 i586)", => Yes, Linux !
1 User-Agent like "Mozilla/4.72 [en] (Win98; U)",
1 User-Agent like "WebTrends Link Analyzer".


In my case, out of 8 requests:

Mozilla/4.6 [en] (Win98; I)    - 2
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)    - 3
Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)    - 1
Mozilla/3.Mozilla/2.01 (Win95; I) - 1                    << ???
Microsoft Internet Explorer/4.40.426 (Windows 95) - 1   << ???

What's more strange is that sometimes I get requests coming through ISPs
proxies (running SQUID usually), with a Host: field pointing to a totally
different server. Except for some kind of a DNS bug, I don't have any way to
explain this so far.
Sample request below.

SERVER_NAME:www.some_other_host.com
QUERY_STRING: 404;http://www.some_other_host.com/some_url/
Accept: application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, image/gif, mage/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Host:  www.some_other_host.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Cookie: WDPERMID=04E0YG81E; WWTHREADID=4E0YVWW1
Proxy-Connection: Keep-Alive
Accept-Encoding: gzip, deflate
REMOTE_ADDR: proxy_ip
REMOTE_HOST: proxy_ip
REMOTE_PORT: 3051
HTTP_PROXY_CONNECTION: Keep-Alive
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

--
Best Regards
Vladimir Ivaschenko
Francoudi & Stephanou Ltd


--
Best Regards
Vladimir Ivaschenko
Francoudi & Stephanou Ltd
Previous By Date Next
Previous By Thread Next

Current thread: