Hi, It would, very obviously, be a transparent proxy. But, the weird thing here, is that the request has a valid host header, unlike nimda/code red. JG ----- Original Message ----- From: "Cliff Albert" <cliffat_private> To: "Maxime Ducharme" <maxime@pandore-design.com> Cc: <incidentsat_private> Sent: Thursday, June 27, 2002 7:20 AM Subject: Re: Someone looking for CodeRed infected boxes ? > On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote: > > > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > > /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 > > 65.94.25.135 - - - > > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > > /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 HTTP/1.1 > > 65.94.25.135 - - - > > > > Sent packet show : > > > > GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 > > Host: 65.94.25.135 > > Connection: keep-alive > > Accept: */* > > X-Forwarded-For: 212.179.220.111 > > Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) > > > > The proxy is relaying itself ? not much sense > > The worm generated header on-the-fly ? > > The NetCache proxyserver is a Hardware-base proxyserver from NetApp > which usually runs in transparent mode. Thus also proxying nimda/codered > runs. > > -- > Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ > cliffat_private | 6BONE: CA2-6BONE | > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 10:16:37 PDT