Re: strange web traffic

From: Bill Carlson (wcarlsonat_private)
Date: Tue Aug 26 2003 - 08:54:00 PDT
Previous message: bugtraqat_private: "Re: strange web traffic"
In reply to: Pall Thayer: "strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 26 Aug 2003, Pall Thayer wrote:

> For the past week and a half or so, I've been noticing several strange
> entries in my webserver access log. Although they appear harmless, the
> volume of the requests worries me a bit. Here's what they look like:
> 
> 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 
> 65.42.85.131 - - [26/Aug/2003:09:10:10 +0000] "GET / HTTP/1.1" 200 686 "-"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 
> 66.190.217.13 - - [26/Aug/2003:09:26:45 +0000] "GET / HTTP/1.1" 200 686 "-"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 
> What makes them strange is that when my server recieves a request for the
> root file, it should result in five seperate requests. A legitimate request
> looks like this:

Do you have a sniffer you can use to show the complete request? That will 
give more info than what's in the logs.

For example, the traffic I'm tracking looks like this with tcpdump -s 1024 
-X for IP 220.240.68.58:

---
12:51:13.899773 220.240.68.58.64871 > 129.255.233.104.80: S [tcp sum ok] 
1422823769:1422823769(0) win 64240 
<mss 960,nop,nop,sackOK> (DF) (ttl 110, id 4256, len 48)
0x0000   4500 0030 10a0 4000 6e06 6f95 dcf0 443a        E..0..@.n.o...D:
0x0010   81ff e968 fd67 0050 54ce 9159 0000 0000        ...h.g.PT..Y....
0x0020   7002 faf0 19b0 0000 0204 03c0 0101 0402        p...............
12:51:13.899801 129.255.233.104.80 > 220.240.68.58.64871: S [tcp sum ok] 
3617005260:3617005260(0) ack 142282
3770 win 9600 <mss 960> (DF) (ttl 255, id 60327, len 44)
0x0000   4500 002c eba7 4000 ff06 0391 81ff e968        E..,..@........h
0x0010   dcf0 443a 0050 fd67 d797 1ecc 54ce 915a        ..D:.P.g....T..Z
0x0020   6012 2580 0db3 0000 0204 03c0                  `.%.........
12:51:14.210024 220.240.68.58.64871 > 129.255.233.104.80: . [tcp sum ok] 
1:1(0) ack 1 win 64320 (DF) (ttl 11
0, id 4258, len 40)
0x0000   4500 0028 10a2 4000 6e06 6f9b dcf0 443a        E..(..@.n.o...D:
0x0010   81ff e968 fd67 0050 54ce 915a d797 1ecd        ...h.g.PT..Z....
0x0020   5010 fb40 4dbb 0000 0000 0000 0000             P..@M.........
12:51:14.229005 220.240.68.58.64871 > 129.255.233.104.80: P [tcp sum ok] 
1:58(57) ack 1 win 64320 (DF) (ttl 
110, id 4259, len 97)
0x0000   4500 0061 10a3 4000 6e06 6f61 dcf0 443a        E..a..@.n.oa..D:
0x0010   81ff e968 fd67 0050 54ce 915a d797 1ecd        ...h.g.PT..Z....
0x0020   5018 fb40 f591 0000 4745 5420 2f20 4854        P..@....GET./.HT
0x0030   5450 2f31 2e31 0d0a 486f 7374 3a20 7668        TP/1.1..Host:.vh
0x0040   2e6f 7267 0d0a 4361 6368 652d 436f 6e74        .org..Cache-Cont
0x0050   726f 6c3a 206e 6f2d 6361 6368 650d 0a0d        rol:.no-cache...
0x0060   0a                                             .
12:51:14.229031 129.255.233.104.80 > 220.240.68.58.64871: . [tcp sum ok] 
1:1(0) ack 58 win 9600 (DF) (ttl 25
5, id 60328, len 40)
0x0000   4500 0028 eba8 4000 ff06 0394 81ff e968        E..(..@........h
0x0010   dcf0 443a 0050 fd67 d797 1ecd 54ce 9193        ..D:.P.g....T...
0x0020   5010 2580 2343 0000                            P.%.#C..
12:51:14.234213 129.255.233.104.80 > 220.240.68.58.64871: P [tcp sum ok] 
1:425(424) ack 58 win 9600 (DF) (tt
l 255, id 60329, len 464)
0x0000   4500 01d0 eba9 4000 ff06 01eb 81ff e968        E.....@........h
0x0010   dcf0 443a 0050 fd67 d797 1ecd 54ce 9193        ..D:.P.g....T...
0x0020   5018 2580 0656 0000 4854 5450 2f31 2e31        P.%..V..HTTP/1.1
0x0030   2033 3031 204d 6f76 6564 2050 6572 6d61        .301.Moved.Perma
0x0040   6e65 6e74 6c79 0d0a 4461 7465 3a20 5765        nently..Date:.We
0x0050   642c 2033 3020 4a75 6c20 3230 3033 2031        d,.30.Jul.2003.1
0x0060   373a 3531 3a31 3420 474d 540d 0a53 6572        7:51:14.GMT..Ser
0x0070   7665 723a 2041 7061 6368 650d 0a4c 6f63        ver:.Apache..Loc
0x0080   6174 696f 6e3a 2068 7474 703a 2f2f 7777        ation:.http://ww
0x0090   772e 7668 2e6f 7267 2f0d 0a54 7261 6e73        w.vh.org/..Trans
0x00a0   6665 722d 456e 636f 6469 6e67 3a20 6368        fer-Encoding:.ch
0x00b0   756e 6b65 640d 0a43 6f6e 7465 6e74 2d54        unked..Content-T
0x00c0   7970 653a 2074 6578 742f 6874 6d6c 3b20        ype:.text/html;.
0x00d0   6368 6172 7365 743d 6973 6f2d 3838 3539        charset=iso-8859
0x00e0   2d31 0d0a 0d0a 6465 200d 0a3c 2144 4f43        -1....de...<!DOC
0x00f0   5459 5045 2048 544d 4c20 5055 424c 4943        TYPE.HTML.PUBLIC
0x0100   2022 2d2f 2f49 4554 462f 2f44 5444 2048        ."-//IETF//DTD.H
0x0110   544d 4c20 322e 302f 2f45 4e22 3e0a 3c48        TML.2.0//EN">.<H
0x0120   544d 4c3e 3c48 4541 443e 0a3c 5449 544c        TML><HEAD>.<TITL
0x0130   453e 3330 3120 4d6f 7665 6420 5065 726d        E>301.Moved.Perm
0x0140   616e 656e 746c 793c 2f54 4954 4c45 3e0a        anently</TITLE>.
0x0150   3c2f 4845 4144 3e3c 424f 4459 3e0a 3c48        </HEAD><BODY>.<H
0x0160   313e 4d6f 7665 6420 5065 726d 616e 656e        1>Moved.Permanen
0x0170   746c 793c 2f48 313e 0a54 6865 2064 6f63        tly</H1>.The.doc
0x0180   756d 656e 7420 6861 7320 6d6f 7665 6420        ument.has.moved.
0x0190   3c41 2048 5245 463d 2268 7474 703a 2f2f        <A.HREF="http://
0x01a0   7777 772e 7668 2e6f 7267 2f22 3e68 6572        www.vh.org/">her
0x01b0   653c 2f41 3e2e 3c50 3e0a 3c2f 424f 4459        e</A>.<P>.</BODY
0x01c0   3e3c 2f48 544d 4c3e 0a0d 0a30 0d0a 0d0a        ></HTML>...0....
12:51:14.244145 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 
1422823827:1422823827(0) win 0 (DF)
 (ttl 110, id 4261, len 40)
0x0000   4500 0028 10a5 4000 6e06 6f98 dcf0 443a        E..(..@.n.o...D:
0x0010   81ff e968 fd67 0050 54ce 9193 d797 1ecd        ...h.g.PT.......
0x0020   5004 0000 48cf 0000 0000 0000 0000             P...H.........
12:51:14.533515 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 
1422823827:1422823827(0) win 0 (ttl
 110, id 4262, len 40)
0x0000   4500 0028 10a6 0000 6e06 af97 dcf0 443a        E..(....n.....D:
0x0010   81ff e968 fd67 0050 54ce 9193 54ce 9193        ...h.g.PT...T...
0x0020   5004 0000 58d2 0000 0000 0000 0000             P...X.........
12:51:14.563018 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 
1422823827:1422823827(0) win 0 (ttl
 110, id 4263, len 40)
0x0000   4500 0028 10a7 0000 6e06 af96 dcf0 443a        E..(....n.....D:
0x0010   81ff e968 fd67 0050 54ce 9193 54ce 9193        ...h.g.PT...T...
0x0020   5004 0000 58d2 0000 0000 0000 0000             P...X.........
---


You may be seeing the same sort of thing with the agent string hard coded.


Bill Carlson
-- 
Systems Administrator    wcarlsonat_private      | Anything is possible,
Virtual Hospital      http://www.vh.org/      | given time and money.
University of Iowa Hospitals and Clinics      |       
Opinions are mine, not my employer's.         | 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Previous message: bugtraqat_private: "Re: strange web traffic"
In reply to: Pall Thayer: "strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 23:41:57 PDT