On Thu, 17 May 2001, Bobby, Paul wrote: > Can anyone tell me what tool is used to accomplish the following? > > The port scans I see for web servers are followed up with the following > series of commands: > > GET http://www.intel.com/ HTTP/1.1\r\n > Host: www.intel.com \r\n > Accept: */*\r\n > Pragma: no-cache:\r\n > User-Agent: Mozilla/4.0\r\n > \r\n > > www.intel.com is sometimes replaced with www.yahoo.com or whatever address. So you run the webservers for www.intel.com and/or www.yahoo.com? > The port scan itself is of course detected by my perimeter security, the web > server log I presume always logs that the source was www.intel.com. Wrong assumption. The Host: www.intel.com line is to indicate the virtual server you want to reach with the get command. Sounds like someone is trying to use your website as a proxy. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:20:28 PDT