Security Incidents mailing list archives

foreign HTTP requests

From: hazard.bsn () CYP MAKS NET (Vladimir Ivaschenko)
Date: Thu, 15 Jun 2000 10:21:33 +0400


Hello all,

I installed "404" handler on our web servers and from that time see
something that I cannot 100% explain: several times per day we get
requests for a totally different web-server. I.e. for example a request to
a valid URL on lwn.net, sometimes to some java class on some server etc.
Requests are received from different IPs, different User-Agents, sometimes
from proxy IPs and so on. Often the User-Agent:'s are strange, but
otherwise the headers don't look like they were spoofed.

Can this be scanning for open proxies? (the headers look too realistic and
different to believe that they are generated by a scanner)
May be this is a known bug in DNS servers?
If someone is exploiting it for some other reason - for which?

A few sample requests follow.

#1)

datetime: 14/06/2000 21:34:41

SERVER_NAME:www.lwn.net
QUERY_STRING: 404;http://www.lwn.net/daily/ssh.php3
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: www.lwn.net
User-Agent: EmailSiphon
Cookie: jrunsessionid=96100716990480607; path=/
REMOTE_ADDR: [yyy.yyy.yyy]
REMOTE_HOST: 193.251.45.224
REMOTE_PORT: 2410
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#2)

datetime: 13/06/2000 05:17:21

SERVER_NAME:community.cnn.com
QUERY_STRING:
404;http://community.cnn.com/cgi-bin/WebX?14@128.EMbcc5YmsuQ^0@.ee7b4aa/98809
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: community.cnn.com
User-Agent: Mozilla/b0.4
Cookie: WEBTRENDS_ID=167.206.58.40-3717060432.29349083; expires=Fri,
31-Dec-2010 00:00:00 GMT; path=/
REMOTE_ADDR: [xxx.xxx.xxx.xxx]
REMOTE_HOST: [xxx.xxx.xxx.xxx]
REMOTE_PORT: 2938
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#3)
datetime: 14/06/2000 07:29:27

SERVER_NAME:chineseculture.about.com
QUERY_STRING:
404;http://chineseculture.about.com/library/chinese/arts/library/extra/idiom/blidiom.htm
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: chineseculture.about.com
User-Agent: Mozilla/3.Mozilla/2.01 (Win95; I)
Cookie: session-id-time=961574400; path=/; domain=.amazon.com;
expires=Wednesday, 21-Jun-2000 08:00:00 GMT
REMOTE_ADDR: [zzz.zzz.zzz.zzz]
REMOTE_HOST: [zzz.zzz.zzz.zzz]
REMOTE_PORT: 2895
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

--
Best Regards
Vladimir Ivaschenko
Francoudi & Stephanou Ltd.

Current thread:

Biggest Incident This Week: Missing Hard Drives at Los Alamos Dante Mercurio (Jun 13)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Joe Dark (Jun 14)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Benjamin Setnick (Jun 14)
  - Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Eric the Fruitbat (Jun 15)
    - Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Daniel K. Boyd (Jun 16)
    - Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Eric Johnson (Jun 16)
    - Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Pierre Vandevenne (Jun 16)
  - Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Ejovi Nuwere (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Kee Hinckley (Jun 14)
- foreign HTTP requests Vladimir Ivaschenko (Jun 14)
  - Re: foreign HTTP requests Pavel Kankovsky (Jun 16)
- Re: Biggest Incident This Week: Missing Hard Drives at Los Alamos Slam (Jun 15)