Thanks for feedback people. You're right Host: header is usually "www", but since NetCap can add X-Forwarded-For: and Via: headers, maybe it can correct the Host: if it is incorrect. I didnt see any other access like that yet. Ciao --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime@pandore-design.com Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ----- Original Message ----- From: "Joao Gouveia" <jgouveiaat_private> To: <incidentsat_private> Sent: Friday, June 28, 2002 11:52 AM Subject: Re: Someone looking for CodeRed infected boxes ? > Hi, > > It would, very obviously, be a transparent proxy. > But, the weird thing here, is that the request has a valid host header, > unlike nimda/code red. > > JG > > ----- Original Message ----- > From: "Cliff Albert" <cliffat_private> > To: "Maxime Ducharme" <maxime@pandore-design.com> > Cc: <incidentsat_private> > Sent: Thursday, June 27, 2002 7:20 AM > Subject: Re: Someone looking for CodeRed infected boxes ? > > > > On Wed, Jun 26, 2002 at 10:18:36AM -0400, Maxime Ducharme wrote: > > > > > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > > > /winnt/system32/cmd.exe /c+dir+c:\ 404 2526 206 0 HTTP/1.1 > > > 65.94.25.135 - - - > > > 2002-06-26 09:14:15 212.179.220.111 - 192.168.100.2 80 GET > > > /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 404 2526 209 0 > HTTP/1.1 > > > 65.94.25.135 - - - > > > > > > Sent packet show : > > > > > > GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ HTTP/1.1 > > > Host: 65.94.25.135 > > > Connection: keep-alive > > > Accept: */* > > > X-Forwarded-For: 212.179.220.111 > > > Via: 1.1 proxy2 (NetCache NetApp/5.2.1R1D3) > > > > > > The proxy is relaying itself ? not much sense > > > The worm generated header on-the-fly ? > > > > The NetCache proxyserver is a Hardware-base proxyserver from NetApp > > which usually runs in transparent mode. Thus also proxying nimda/codered > > runs. > > > > -- > > Cliff Albert | RIPE: CA3348-RIPE | http://oisec.net/ > > cliffat_private | 6BONE: CA2-6BONE | > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 12:30:37 PDT