Saturday, April 29, 2006

Red China "Super.Proxy.Scanner"? Whassup?

Just because Blogger acted silly in the last hour, went to SANS to check on the 'net.

Here's an interesting little item:

One of our readers has come across an interesting phenomenon in his proxy logs that we're hoping someone can shed some light on. Its not necessarily malicious, its just hinkey.

Imagine reviewing your webserver or proxy logs and seeing requests for a website completely unrelated to your organization, but an IP address in your address block appears in the hostname.

So here is an example URL that might show up in your logs:

http://check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn
/Provy_OK.

html running the host command on the above hostname provides:

check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn has address 61.135.170.153

Hrm. 216.109.136.53 is a an IP in Hoboken, NJ. Thats about 6800 miles away from the host in China (61.135.170.153).

If you search for the string "super.proxy.scanner" in google you get 3 pages of proxy and web logs showing requests for various URLs that follow the form:

http://check.$ip_address.v.80.(pdx8PCN22mt1pw1).super.proxy.scanner.(i.thu.cnii.9966.org)/Provy_OK.html

All of the hostnames resolve to 61.135.170.153.

All of the logs I could find show this activity only in the March-April 2006 timeframe so relatively new.

We all know that the RedChinese are our friends.

2 comments:

Anonymous said...

I find a similar string in my proxy log file 5 minutes ago. What a f**ck is that?
But in my log shows that ip resolve to ip: 211.100.33.61
whois server show that this ip belong to someone China network...

John said...

Learn What A Proxy Server Is