RE: strange HTTP requests

From: Bill Carlson (wcarlson_at_vh.org)
Date: 09/17/03

  • Next message: Romulo M. Cholewa: "NDRs from spamming" 
    Date: Wed, 17 Sep 2003 08:29:38 -0500 (CDT)
To: "James C. Slora, Jr." <Jim.Slora@phra.com>

    On Tue, 16 Sep 2003, James C. Slora, Jr. wrote:

    > Do you have packet captures that you could share?

    See attached, tcpdump of a typical pattern. Note, the request itself is
    innocent enough. It's the number of hosts doing so that make it
    suspicious; 2-3 requests per second from 25000+ unique IPs totaling over 1
    million requests in a SIX DAY period. This is after filtering out innocent
    requests, such as when one would type vh.org (not www.vh.org) in a
    browser. NOTE: MY WEBSERVER IS SUPPOSED TO RETURN A 301 to this request,
    that's not the issue.

    >
    > Have you confirmed that they are not connecting to a virtual host on the
    > target computer? vh.org would make a nice name for a renegade virtual
    > host installed on a legitimate web server.

    I know the webserver in question is clean, I won't discuss the details of
    what I've done so far just yet.

    > Or maybe there is some spooky covert channel trojan that listens for
    > such requests and reads instructions from other portions of the packet.
    >
    > Paranoid fantasies aside, full packets and server responses might give
    > some more clues.

    Again, see attached. I haven't been able to confirm or deny the traffic is
    spoofed.

    Later,

    Bill Carlson 

    -- 
Systems Administrator    wcarlson@vh.org      | Anything is possible,
Virtual Hospital      http://www.vh.org/      | given time and money.
University of Iowa Hospitals and Clinics      |       
Opinions are mine, not my employer's.         |

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Romulo M. Cholewa: "NDRs from spamming"