Re: Hiding the source of the web server scan

[Daniel Martin <dtmartin24 () home com>]

"Bobby, Paul" <paul.bobby () lmco com> writes:

> www.intel.com is sometimes replaced with www.yahoo.com or whatever address.
>
> The port scan itself is of course detected by my perimeter security, the web
> server log I presume always logs that the source was www.intel.com.
>
> No big deal, just that I'm seeing a lot of these recently.

Well, I can't tell you what the tool is, but the point of this scan is
not to hide the scan's source.  The point of the scan is to look for
open web proxies - the commands that you're seeing are a request to
proxy a connection through to the named site.

When I first saw this tool in action, it was requesting proxied access
to http://www.s3.com/.  Most recently, I've seen someone going through
with a request for http://www.tauma.com/hunter.htm - in fact, if you
search google for that url, you'll find hits at several places that
have their error logs or monthly stats accessible through the web.  I
wonder if the person ultimately behind the scan might not have access
to the webserver logs of the machine www.tauma.com.

In this same general vein, but speaking of a different tool, I've also
noticed a very interesting proxy-detection strategy which on my end
appears as a request for the url http://65.6.201.54:8081/2287995928 -
note that the machine 65.6.201.54 is also the machine sending the
request and that the number 2287995928, when converted to hex and
after having its byte order reversed, is my IP address.  Presumably
this allows the scanner to simply collect the log results later, and
even if my machine should happen to proxy through something else, they
have a record of my IP address.