"Bobby, Paul" <paul.bobbyat_private> writes: > www.intel.com is sometimes replaced with www.yahoo.com or whatever address. > > The port scan itself is of course detected by my perimeter security, the web > server log I presume always logs that the source was www.intel.com. > > No big deal, just that I'm seeing a lot of these recently. Well, I can't tell you what the tool is, but the point of this scan is not to hide the scan's source. The point of the scan is to look for open web proxies - the commands that you're seeing are a request to proxy a connection through to the named site. When I first saw this tool in action, it was requesting proxied access to http://www.s3.com/. Most recently, I've seen someone going through with a request for http://www.tauma.com/hunter.htm - in fact, if you search google for that url, you'll find hits at several places that have their error logs or monthly stats accessible through the web. I wonder if the person ultimately behind the scan might not have access to the webserver logs of the machine www.tauma.com. In this same general vein, but speaking of a different tool, I've also noticed a very interesting proxy-detection strategy which on my end appears as a request for the url http://65.6.201.54:8081/2287995928 - note that the machine 65.6.201.54 is also the machine sending the request and that the number 2287995928, when converted to hex and after having its byte order reversed, is my IP address. Presumably this allows the scanner to simply collect the log results later, and even if my machine should happen to proxy through something else, they have a record of my IP address.
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:46:40 PDT