strange HTTP requests

From: Bill Carlson (wcarlson_at_vh.org)
Date: 08/25/03

Next message: Valdis.Kletnieks_at_vt.edu: "Re: lots of sobig virus emails."

Previous message: Toh Hong Kuan: "RE: lots of sobig virus emails."
Next in thread: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Maybe reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 25 Aug 2003 10:12:56 -0500 (CDT)
To: incidents@securityfocus.com

Hey all,

I've been seeing a lot of server requests for the last several months,
they look like this:

GET / HTTP/1.1
Host: vh.org
Cache-Control: no-cache

That's it. The particular config on our servers return a 301 (perm
redirect), which is why I noticed these requests, half our traffic
being 301s spells trouble.

The traffic doesn't appear to be spoofed from what I've gathered so far
after talking to a couple of sites.

The traffic pattern goes like this:

Remote Local
------------------
SYN
        SYN-ACK
ACK
Request
        ACK
        301 Reply
RST
RST
RST
-----------------

For most IPs, this repeats every 5 minutes or so, out of a pool of 6000
addresses or so.

Anyone seen anything similiar or have an idea what's behind the traffic?

Thanks,

Bill Carlson

-- 
Systems Administrator    wcarlson@vh.org      | Anything is possible,
Virtual Hospital      http://www.vh.org/      | given time and money.
University of Iowa Hospitals and Clinics      |       
Opinions are mine, not my employer's.         | 
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Valdis.Kletnieks_at_vt.edu: "Re: lots of sobig virus emails."

Previous message: Toh Hong Kuan: "RE: lots of sobig virus emails."
Next in thread: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Maybe reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Can anyone identify this possible backdoor?
... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
(Incidents)
RE: Re: Hunting for Mr Badmouth
... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
(Security-Basics)
RE: Windows XP Pro cracker?
... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
(Security-Basics)
RE: Windows XP Pro cracker?
... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
(Security-Basics)
RE: Windows XP Pro cracker?
... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in Las Vegas! ... Symantec is the Diamond sponsor. ...
(Security-Basics)