|
Disclaimers:
Note that no one is claiming the activity below is malicious or illegal. Visit the urls at your own risk. They are being posted because they don't appear to be malicious in nature. One of our readers has come across an interesting phenomenon in his proxy logs that we're hoping someone can shed some light on. Its not necessarily malicious, its just hinkey. Imagine reviewing your webserver or proxy logs and seeing requests for a website completely unrelated to your organization, but an IP address in your address block appears in the hostname. (Thanks to Jeremy for the report and the offer to share. I was able to find plenty of examples on the internet without referencing yours specifically) So here is an example URL that might show up in your logs: http://check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn/Provy_OK.html running the host command on the above hostname provides: check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn has address 61.135.170.153 Hrm. 216.109.136.53 is a an IP in Hoboken, NJ. Thats about 6800 miles away from the host in China (61.135.170.153). If you search for the string "super.proxy.scanner" in google you get 3 pages of proxy and web logs showing requests for various URLs that follow the form: http://check.$ip_address.v.80.(pdx8|PCN22|mt1|pw1).super.proxy.scanner.(i.thu.cn|ii.9966.org)/Provy_OK.html All of the hostnames resolve to 61.135.170.153. All of the logs I could find show this activity only in the March-April 2006 timeframe so relatively new. Visiting one of these hinkey URLs always provides the following (well at least in the few I tried): "OK0001" The webserver is running lighttpd/1.4.11 (http://www.lighttpd.net/) Thats about all I could find. The string "super.proxy.scanner" showed up on a few sites as the top search results so someone or some program is looking for this traffic as well. So let us know if you have any theories (or maybe you know exactly whats going on here). Also if you have any web/proxy log entries (or even better pcaps of all traffic related to one of these IPs) feel free to send them in. We'll post whatever we find in the diary. One interesting tidbit, while researching this I fat-fingered a lookup and the DNS server gave me an interesting IP back: dig any suprt.proxy.scanner.ii.9966.org ;; QUESTION SECTION: ;suprt.proxy.scanner.ii.9966.org. IN ANY ;; ANSWER SECTION: suprt.proxy.scanner.ii.9966.org. 300 IN A 61.135.170.153 suprt.proxy.scanner.ii.9966.org. 300 IN NS ns1.suprt.proxy.scanner.ii.9966.org. suprt.proxy.scanner.ii.9966.org. 300 IN NS ns2.suprt.proxy.scanner.ii.9966.org. ;; AUTHORITY SECTION: suprt.proxy.scanner.ii.9966.org. 300 IN NS ns2.suprt.proxy.scanner.ii.9966.org. suprt.proxy.scanner.ii.9966.org. 300 IN NS ns1.suprt.proxy.scanner.ii.9966.org. ;; ADDITIONAL SECTION: ns1.suprt.proxy.scanner.ii.9966.org. 300 IN A 61.135.170.159 ns2.suprt.proxy.scanner.ii.9966.org. 300 IN A 61.135.159.152 Here is what I would have gotten without my typo: dig any super.proxy.scanner.ii.9966.org ;; QUESTION SECTION: ;super.proxy.scanner.ii.9966.org. IN ANY ;; ANSWER SECTION: super.proxy.scanner.ii.9966.org. 300 IN A 61.135.170.153 ;; AUTHORITY SECTION: ii.9966.org. 86400 IN NS ns2.ii.9966.org. ii.9966.org. 86400 IN NS ns1.ii.9966.org. Some results from google: check.216.109.136.53.v.80.pdx8.super.proxy.scanner.i.thu.cn/Provy_OK.html check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn/Provy_OK.html check.216.109.136.53.v.80.PCN22.super.proxy.scanner.i.thu.cn/Provy_OK.html check.63.245.201.35.v.80.mt1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.66.34.248.90.v.80.pcn22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.147.251.3.78.v.80.PCN22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.147.251.3.39.v.80.PCN22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.130.71.96.35.v.80.mt1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.141.225.152.87.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html check.207.73.173.23.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html check.63.245.201.36.v.80.pw1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.207.73.173.23.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html check.58.188.232.10.v.80.PCN22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.63.245.201.35.v.80.PCN22.super.proxy.scanner.i.thu.cn/Provy_OK.html check.207.210.74.70.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html check.151.100.18.65.v.80.PCN22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.212.192.114.3.v.80.mt1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.128.243.107.6.v.8080.PCN22.super.proxy.scanner.ii.9966.org/Provy_OK.html check.192.107.81.22.v.80.pw1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.192.107.81.22.v.80.PCN22.super.proxy.scanner.i.thu.cn/Provy_OK.html check.130.85.162.106.v.80.pw1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.130.85.162.106.v.80.pw1.super.proxy.scanner.i.thu.cn/Provy_OK.html check.167.196.204.113.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html check.212.192.114.3.v.80.mt1.super.proxy.scanner.ii.9966.org/Provy_OK.html check.207.210.74.70.v.80.pdx8.super.proxy.scanner.ii.9966.or Interesting entry from the web log for a webcam: Camera 1: Security alert: user from IP address: 61.135.170.159 is trying to read file: check.70.60.215.15.v.8080.PCN22.super.proxy.scanner.i.thu.cn/Provy_OK.html Robert - SANS ISC Handler on Duty |
Robert 49 Posts Apr 28th 2006 |
| Thread locked Subscribe |
Apr 28th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
