Hallo all! My web server was probed on ports 80, 8080 and 3128 (all ports for http/proxies, afaik). The source issued the following command (broken to fit in the Mail): "GET http://www.rusftpsearch.net/ cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80". Can someone please point me to some information for that probe? What were they doing? Has somebody seen the same probe? Does somebody know the server www.rusftpsearch.net (I can't find some information for it). Thank you very much for your help. With kind regards. Heiko.
This is all about www.rusftpsearch.net that is registered in the internic-Whois-Database: Cheers Michael __________________________________________ Registrant: EA CO. (RUSFTPSEARCH-DOM) BARLACHSTRASSE 16 BAVARIA, INGOLSTADT 85053 DE Domain Name: RUSFTPSEARCH.NET Administrative Contact, Technical Contact, Zone Contact: Hertziger, Brian(SNX5)SAN@ID.RU 1-414-329-8511 Billing Contact: Hertziger, Brian(SNX5)SAN@ID.RU 1-414-329-8511 Record last updated on 27-Oct-1999. Record created on 05-Aug-1999. Database last updated on 7-Dec-1999 16:53:53 EST. Domain servers in listed order: NS1.BLUEGRAVITY.COM207.254.128.2 NS2.BLUEGRAVITY.COM207.254.128.3 Heiko Degenhardt schrieb:
Hallo all!
My web server was probed on ports 80, 8080 and 3128 (all ports for http/proxies, afaik).
The source issued the following command (broken to fit in the Mail): "GET http://www.rusftpsearch.net/ cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80".
Can someone please point me to some information for that probe? What were they doing? Has somebody seen the same probe? Does somebody know the server www.rusftpsearch.net (I can't find some information for it).
Thank you very much for your help.
With kind regards. Heiko.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ----------------------------- Michael ADLER TU München Lehrstuhl für Pädagogik Tel: +49 89 289-24227 Fax: +48 89 289-24313 mobil: +49 171 1938691 Tel (privat): +49 89 54076231 -----------------------------
Hello Heiko,
"GET http://www.rusftpsearch.net/ cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80".
please send the full line from your logs. This entry is not what a webserver normaly writes to its logs. It should read GET /cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80 The host is given in the header information of a http request. Maybe someone tried to access their host with telnet or some prop software and didn't know what to do? What is your servers ip-address? What is their ip-address? So long Ulli -- ----------------- Die Website Effizienzer ------------------ luna-park Bravo Sanchez, Vollmert, Wisser GbR Ulrich Wisser mailto:u.wisser@luna-park.de Alter Schlachthof, Immenburgstr. 20 Tel +49-228-9654055 D-53121 Bonn Fax +49-228-9654057 ------------------http://www.luna-park.de ------------------
Ulrich Wisser wrote:
"GET http://www.rusftpsearch.net/ cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80". please send the full line from your logs. This entry is not what a webserver normaly writes to its logs. It should read GET /cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80 The host is given in the header information of a http request. Maybe someone tried to access their host with telnet or some prop software and didn't know what to do? What is your servers ip-address? What is their ip-address?
This _is_ the exact line of the request. The russians are trying to find open http-proxies (check the way a browser contacts via a proxy). The goal of this attacks is to cheat on advertising statistics (i had this type of scans too and i followed the originating systems for some time). I had them mostly from *.ru and from *.jp. here a portion of my proxy log analyzer: dial55142.mtu-net.ru 1 0.00 1 0.00 0 7.55 195.161.43.124 1 0.00 1 0.00 1 1.17 dial57106.mtu-net.ru 1 0.00 1 0.00 0 11.03 dial57207.mtu-net.ru 1 0.00 1 0.00 0 6.24 osk436.osk.3web.ne.jp 1 0.00 1 0.00 1 1.56 tokyo5-51.kcom.ne.jp 1 0.00 1 0.00 0 19.41 h017.p074.iij4u.or.jp 1 0.00 1 0.00 0 3.81 d-ppp47.zssm.zp.ua 1 0.00 1 0.00 0 46.41 ip-76.dialup.cl.spb.ru 1 0.00 1 0.00 0 8.17 spb-1-42.dialup.rcom.ru 1 0.00 1 0.00 0 23.16 tky300.tky.3web.ne.jp 1 0.00 1 0.00 0 1019.53 ip-1364.dialup.cl.spb.ru 1 0.00 1 0.00 0 31.38 x01-033.funabashi.highway.ne.jp 1 0.00 1 0.00 0 5.26 souka1-42.kcom.ne.jp 1 0.00 1 0.00 0 18.43 193.10.141.85 1 0.00 1 0.00 0 8.71 p84ab22.kuwn.ap.so-net.ne.jp 1 0.00 1 0.00 0 46.22 L6-0-410-1.inp.nsk.su 1 0.00 1 0.00 0 8.66 ppp-51-3.angara.ru 1 0.00 1 0.00 0 28.35 d11.romantis.net 1 0.00 1 0.00 0 17.19 85-p2.Ascend04.STT.VIaccess.Net 1 0.00 1 0.00 0 20.08 195.161.48.126 1 0.00 1 0.00 0 7.81 ppp83.aaanet.ru 1 0.00 1 0.00 0 14.34 212.248.81.60 1 0.00 1 0.00 0 10.27 rodion.kuban.net 1 0.00 1 0.00 0 20.08 complaining won't work. But I hope your proxy (if you have one) is correctly configured. -- Roland Steinbach <roland@support-system.com> stoney_ on IRC (ircnet) Abandoned in Void of Nothingness
(Ups, is it ok to reply to his own questions...?) :-) Hallo all! Heiko Degenhardt wrote:
... [ Probe of my web server on ports 80, 8080, 3128]
I think I found the origin of that probe. It seems to be a trojan called RingZero (or a derivate). (See http://www.sans.org/newlook/resources/ringzero.htm) The following entry was in my logs: ... 24.8.194.208 - - [07/Dec/1999:17:42:23 +0100] "GET http://www.rusftpsearch.net/ cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62.127&pstport=80 HTTP/1.0" 403 292 "-" "Mozilla/2.0 (compatible; MSIE 3.0; Windows 95)" ... If I understand right, it shows, that someone at home.com has got a trojan, that scans for open www proxies for some site (claiming to be) "www.rusftpsearch.net" I hope that abuse@home.com will investigate further to help the one with the trojan (I just got an automatic reply from them). I have also informed the maintainer of the russian site, but also just got an auto reply (and don't believe that I will hear more from them :-(). Thank you all for your help. With kind regards. Heiko.
participants (4)
-
Heiko Degenhardt -
Michael Adler -
Roland Steinbach. -
Ulrich Wisser