I set up a brand new web server to see what type of connections it will receive. Since the server had no “production” purpose, all attempts to access it could be considered suspicious at best. Such requests are associated with scans, probes and other malicious activities that tend to blend into the background of web traffic. Here’s what I observed.
An Internet-Mapping Experiment by PDR Labs
The web server began receiving the following unexpected HTTP requests once or twice per day:
HEAD / HTTP/1.1 Accept-Encoding: identity User-Agent: Cloud mapping experiment. Contact firstname.lastname@example.org
These connection attempts stood out because the HTTP requests were missing the “Accept” header and included the server’s IP address, rather than hostname in the “Host:” field (not shown here). This tends to occur with bots.
Searching the web for “pdrlabs.net” led to www.pdrlabs.net, which contained a bare-bones page stating:
“We are conducting an ongoing experiment to map the Internet in its entirety. Our crawling is not malicious in intent and does nothing more than attempt the connection; no further information is mined.”
These connections originated from different IP addresses, all of which were hosted at Amazon Elastic Compute Cloud (EC2). These included 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 and 184.108.40.206.
I didn’t find any other suspicious connections associated with these IPs so I am not too worried about this activity. Still, what are PDR Labs up to and who is behind this project? Perhaps some day these secrets will be revealed to us.
Scans for Open Web Proxies
Another set of anomalous requests, unrelated to the connections above, looked like this:
GET http:// hotel.qunar. com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1 Accept-Encoding: gzip,deflate,sdch Referer: http:// hotel.qunar. com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Host: hotel.qunar.com
These requests stood out because the client attempted to retrieve a page from hotel.qunar.com, which was unrelated to my web server. Such connections, regardless the third-party URL they attempt to retrieve, tend to be scans for open proxies. If my web server was configured as an open proxy, it would retrieve the requested URL and present it to the client.
According to the Httpd Wiki, such open proxies could be misused to “manipulate pay-per-click ad systems, to add comment or link-spam to someone else’s site, or just to do something nasty without being detected.” Open proxies are also used to bypass corporate or government access restrictions.
I observed these connections roughly every other day. They originated from different IP addresses, all of which were registered in China. These included 220.127.116.11, 18.104.22.168 and 22.214.171.124.
Why do these scans use the hotel.qunar.com URL for its tests? I doubt the person behind them is intent on finding a way to make anonymous hotel reservations through this site. Any URL would do. However, hotel.qunar.com is specifically mentioned as an example in the onlineProxy.js tool:
/** * a proxy with totoro, to test online page. * step1: totoro -R http:// 10.211.55. 2:9998/proxy?target=hotel.qunar.com -a mocha step2: this proxy, request the target url, add mocha script and case to response step3: response the added html to totoro server * */
This tool is a module for Totoro, which is a free, “simple and stable cross-browser testing tool.” Perhaps the scanner was implemented by using Totoro and onlineProxy.js, with the person behind it using the example above when launching the scans. Another mystery of the web unraveled!
This wasn’t the only set of proxy connections that the server encountered. Another probe came from 126.96.36.199, which attempted to retrieve:
GET http:// www. k2proxy. com//hello.html
The connecting client specified the following User-Agent string: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)”. The connection came from the system that, according to Spamhous CBL was infected with Torpig malware. The K2 proxy website, authored in Chinese, seems to be an effort to locate and document open proxies and appears to be maintained by email@example.com.
Yet another proxy probe came from 188.8.131.52, an IP address classified as being potentially malicious by Project Honey Pot:
GET http://www.baidu.com/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
A couple of seconds before submitting this HTTP request, the attacking system also attempted to connect to the server on TCP ports 135 and 1433, both of which are associated with Microsoft SQL Server activity.
Probes from Potentially-Infected Systems
Let’s move to another unusual set of connections Approximately every other day the web server received the following request:
HEAD / HTTP/1.0
These connections stood out because they were missing all other headers typically present in an HTTP connection. The requests came from different IPs, which included 184.108.40.206, 220.127.116.11, 18.104.22.168 and 22.214.171.124. These IPs were located in the US, Japan and Taiwan.
Several of these IP addresses were flagged on the Spamhous Composite Blocking List (CBL) as being associated with infected hosts. According to CBL, some of these systems were running Gameover Zeus and Hesperbot malware. Perhaps these bots were directed to scan the web looking for web servers to infect—I’m not sure, but if you have promising theories, please let me know.
Scans for phpMyAdmin Vulnerabilities
The web server also saw several requests associated with User-Agent “ZmEu”. They looked like this:
GET /MyAdmin/scripts/setup.php HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: ZmEu
These connections stood out because they attempted to access PHP pages not present on the server and specified an unusual User-Agent. Also, they provided a “Host:” header (not shown here) that specified the web server’s IP address, rather than its hostname.
These probes came from 126.96.36.199 in Bulgaria. According to Spamhous CBL, this IP was associated with Gameover Zeus malware. The infected system attempted to access pages used by phpMyAdmin, a popular MySQL administration tool. The scanner looked for vulnerabilities in phpMyAdmin that it could exploit.
According to Phil Riesch, User-Agent “ZmEu” is used by “a security tool used for discovering security holes” in phpMyAdmin. Older web probes associated with this tool included a reference to its potential origin and pointed to a now-defunct website:
Made by ZmEu @ WhiteHat Team - www. whitehat.ro
Someone seemed to be using a bot network to scan for vulnerable phpMyAdmin systems, though the reference to “ZmEu” could have been added regardless of whether that was the tool that the attacker actually employed.
This completes the overview of the suspicious activities I observed recently on a brand new web server that should not have seen any connections. Such probes are easy to notice on a non-production system like that. On most real servers, they probably go unnoticed, blending into the noise that comprises today’s Internet traffic.