OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: foreign HTTP requests
From: Vladimir Ivaschenko (hazard.bsnCYP.MAKS.NET)
Date: Thu Jun 15 2000 - 01:21:33 CDT

Hello all,

I installed "404" handler on our web servers and from that time see
something that I cannot 100% explain: several times per day we get
requests for a totally different web-server. I.e. for example a request to
a valid URL on lwn.net, sometimes to some java class on some server etc.
Requests are received from different IPs, different User-Agents, sometimes
from proxy IPs and so on. Often the User-Agent:'s are strange, but
otherwise the headers don't look like they were spoofed.

Can this be scanning for open proxies? (the headers look too realistic and
different to believe that they are generated by a scanner)
May be this is a known bug in DNS servers?
If someone is exploiting it for some other reason - for which?

A few sample requests follow.

#1)

datetime: 14/06/2000 21:34:41

SERVER_NAME:www.lwn.net
QUERY_STRING: 404;http://www.lwn.net/daily/ssh.php3
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: www.lwn.net
User-Agent: EmailSiphon
Cookie: jrunsessionid=96100716990480607; path=/
REMOTE_ADDR: [yyy.yyy.yyy]
REMOTE_HOST: 193.251.45.224
REMOTE_PORT: 2410
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#2)

datetime: 13/06/2000 05:17:21

SERVER_NAME:community.cnn.com
QUERY_STRING:
404;128.EMbcc5YmsuQ^0.ee7b4aa/98809">http://community.cnn.com/cgi-bin/WebX?14128.EMbcc5YmsuQ^0.ee7b4aa/98809
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: community.cnn.com
User-Agent: Mozilla/b0.4
Cookie: WEBTRENDS_ID=167.206.58.40-3717060432.29349083; expires=Fri,
31-Dec-2010 00:00:00 GMT; path=/
REMOTE_ADDR: [xxx.xxx.xxx.xxx]
REMOTE_HOST: [xxx.xxx.xxx.xxx]
REMOTE_PORT: 2938
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET

#3)
datetime: 14/06/2000 07:29:27

SERVER_NAME:chineseculture.about.com
QUERY_STRING:
404;http://chineseculture.about.com/library/chinese/arts/library/extra/idiom/blidiom.htm
Accept: www/source, text/html, video/mpeg, image/jpeg,
image/x-tiff,image/x-rgb, image/x-xbm, image/gif, */*,
application/postscript
Host: chineseculture.about.com
User-Agent: Mozilla/3.Mozilla/2.01 (Win95; I)
Cookie: session-id-time=961574400; path=/; domain=.amazon.com;
expires=Wednesday, 21-Jun-2000 08:00:00 GMT
REMOTE_ADDR: [zzz.zzz.zzz.zzz]
REMOTE_HOST: [zzz.zzz.zzz.zzz]
REMOTE_PORT: 2895
HTTP_PROXY_CONNECTION:
HTTP_REFERER (forDirectCall):
REQUEST_METHOD (forDirectCall): GET 

--
Best Regards
Vladimir Ivaschenko
Francoudi & Stephanou Ltd.