Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: foreign HTTP requests

From: ddoc () MIA CZ (Daniel Dočekal)
Date: Thu, 15 Jun 2000 22:39:19 +0200


I installed "404" handler on our web servers and from that time see
something that I cannot 100% explain: several times per day we get
requests for a totally different web-server. I.e. for example
a request to
a valid URL on lwn.net, sometimes to some java class on some
server etc.
Requests are received from different IPs, different
User-Agents, sometimes
from proxy IPs and so on. Often the User-Agent:'s are strange, but
otherwise the headers don't look like they were spoofed.


We are experiencing the same things - these are THOUSANDS of wrong request
for perfectly legal content from different servers. I have reported this as
BUG to Microsoft long time ago, but i have NEVER get any response.

It is a BUG of _browsers_ in my opinion who are sending request to wrong IP
adresses - my guess is that it happens at moment of chaning from one server
to another.



Can this be scanning for open proxies? (the headers look too
realistic and
different to believe that they are generated by a scanner)
May be this is a known bug in DNS servers?
If someone is exploiting it for some other reason - for which?

A few sample requests follow.

#1)

datetime: 14/06/2000 21:34:41

SERVER_NAME:www.lwn.net
QUERY_STRING: 404;http://www.lwn.net/daily/ssh.php3
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: www.lwn.net
User-Agent: EmailSiphon
Cookie: jrunsessionid=96100716990480607; path=/
REMOTE_ADDR: [yyy.yyy.yyy]
REMOTE_HOST: 193.251.45.224
REMOTE_PORT: 2410
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#2)

datetime: 13/06/2000 05:17:21


SERVER_NAME:community.cnn.com
QUERY_STRING:
404;http://community.cnn.com/cgi-bin/WebX?14@128.EMbcc5YmsuQ^0
@.ee7b4aa/98809
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: community.cnn.com
User-Agent: Mozilla/b0.4
Cookie: WEBTRENDS_ID=167.206.58.40-3717060432.29349083; expires=Fri,
31-Dec-2010 00:00:00 GMT; path=/
REMOTE_ADDR: [xxx.xxx.xxx.xxx]
REMOTE_HOST: [xxx.xxx.xxx.xxx]
REMOTE_PORT: 2938
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#3)
datetime: 14/06/2000 07:29:27

SERVER_NAME:chineseculture.about.com
QUERY_STRING:
404;http://chineseculture.about.com/library/chinese/arts/libra
ry/extra/idiom/blidiom.htm
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: chineseculture.about.com
User-Agent: Mozilla/3.Mozilla/2.01 (Win95; I)
Cookie: session-id-time=961574400; path=/; domain=.amazon.com;
expires=Wednesday, 21-Jun-2000 08:00:00 GMT
REMOTE_ADDR: [zzz.zzz.zzz.zzz]
REMOTE_HOST: [zzz.zzz.zzz.zzz]
REMOTE_PORT: 2895
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

--
Best Regards
Vladimir Ivaschenko
Francoudi & Stephanou Ltd.
Previous By Date Next
Previous By Thread Next

Current thread: