Re: Hiding the source of the web server scan

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Thu, 17 May 2001, Bobby, Paul wrote:

> Can anyone tell me what tool is used to accomplish the following?
>
> The port scans I see for web servers are followed up with the following
> series of commands:
>
> GET http://www.intel.com/ HTTP/1.1\r\n
> Host: www.intel.com \r\n
> Accept: */*\r\n
> Pragma: no-cache:\r\n
> User-Agent: Mozilla/4.0\r\n
> \r\n
>
> www.intel.com is sometimes replaced with www.yahoo.com or whatever address.

So you run the webservers for www.intel.com and/or www.yahoo.com?

> The port scan itself is of course detected by my perimeter security, the web
> server log I presume always logs that the source was www.intel.com.

Wrong assumption. The Host: www.intel.com line is to indicate the virtual
server you want to reach with the get command.

Sounds like someone is trying to use your website as a proxy.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.