Internet Noise and Malicious Requests to a New Web Server

I set up a brand new web server to see what type of connections it will receive. Since the server had no "production" purpose, all attempts to access it could be considered suspicious at best. Such requests are associated with scans, probes and other malicious activities that tend to blend into the background of web traffic. Here's what I observed.

An Internet-Mapping Experiment by PDR Labs

The web server began receiving the following unexpected HTTP requests once or twice per day:

HEAD / HTTP/1.1
Accept-Encoding: identity
User-Agent: Cloud mapping experiment. Contact research@pdrlabs.net

These connection attempts stood out because the HTTP requests were missing the "Accept" header and included the server's IP address, rather than hostname in the "Host:" field (not shown here). This tends to occur with bots.

Searching the web for "pdrlabs.net" led to www.pdrlabs.net, which contained a bare-bones page stating:

"We are conducting an ongoing experiment to map the Internet in its entirety. Our crawling is not malicious in intent and does nothing more than attempt the connection; no further information is mined."

These connections originated from different IP addresses, all of which were hosted at Amazon Elastic Compute Cloud (EC2). These included 75.101.197.159, 23.20.195.127, 23.22.8.3, 54.196.118.77, 23.22.13.205, 54.90.93.247, 54.87.77.99, 54.89.82.208, 107.22.50.242, 54.87.77.99, 54.89.82.208 and 107.22.50.242.

I didn't find any other suspicious connections associated with these IPs so I am not too worried about this activity. Still, what are PDR Labs up to and who is behind this project? Perhaps some day these secrets will be revealed to us.

Scans for Open Web Proxies

Another set of anomalous requests, unrelated to the connections above, looked like this:

GET http:// hotel.qunar. com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Referer: http:// hotel.qunar. com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Host: hotel.qunar.com

These requests stood out because the client attempted to retrieve a page from hotel.qunar.com, which was unrelated to my web server. Such connections, regardless the third-party URL they attempt to retrieve, tend to be scans for open proxies. If my web server was configured as an open proxy, it would retrieve the requested URL and present it to the client.

According to the Httpd Wiki, such open proxies could be misused to "manipulate pay-per-click ad systems, to add comment or link-spam to someone else's site, or just to do something nasty without being detected." Open proxies are also used to bypass corporate or government access restrictions.

I observed these connections roughly every other day. They originated from different IP addresses, all of which were registered in China. These included 114.232.150.176, 114.231.131.97 and 115.29.146.211.

Why do these scans use the hotel.qunar.com URL for its tests? I doubt the person behind them is intent on finding a way to make anonymous hotel reservations through this site. Any URL would do. However, hotel.qunar.com is specifically mentioned as an example in the onlineProxy.js tool:

/**
* a proxy with totoro, to test online page.
* 
 step1: totoro -R http:// 10.211.55. 2:9998/proxy?target=hotel.qunar.com -a mocha
 step2: this proxy, request the target url, add mocha script and case to response
 step3: response the added html to totoro server
*
*/

This tool is a module for Totoro, which is a free, "simple and stable cross-browser testing tool." Perhaps the scanner was implemented by using Totoro and onlineProxy.js, with the person behind it using the example above when launching the scans. Another mystery of the web unraveled!

This wasn't the only set of proxy connections that the server encountered. Another probe came from 122.226.223.69, which attempted to retrieve:

GET http:// www. k2proxy. com//hello.html

The connecting client specified the following User-Agent string: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)". The connection came from the system that, according to Spamhous CBL was infected with Torpig malware. The K2 proxy website, authored in Chinese, seems to be an effort to locate and document open proxies and appears to be maintained by zngohaha117@hotmail.com.

Yet another proxy probe came from 63.246.129.40, an IP address classified as being potentially malicious by Project Honey Pot:

GET http://www.baidu.com/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

A couple of seconds before submitting this HTTP request, the attacking system also attempted to connect to the server on TCP ports 135 and 1433, both of which are associated with Microsoft SQL Server activity.

Probes from Potentially-Infected Systems

Let's move to another unusual set of connections Approximately every other day the web server received the following request:

HEAD / HTTP/1.0

These connections stood out because they were missing all other headers typically present in an HTTP connection. The requests came from different IPs, which included 162.242.146.223, 184.173.172.150, 103.3.189.14 and 210.17.38.217. These IPs were located in the US, Japan and Taiwan.

Several of these IP addresses were flagged on the Spamhous Composite Blocking List (CBL) as being associated with infected hosts. According to CBL, some of these systems were running Gameover Zeus and Hesperbot malware. Perhaps these bots were directed to scan the web looking for web servers to infect—I'm not sure, but if you have promising theories, please let me know.

Scans for phpMyAdmin Vulnerabilities

The web server also saw several requests associated with User-Agent "ZmEu". They looked like this:

GET /MyAdmin/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu

These connections stood out because they attempted to access PHP pages not present on the server and specified an unusual User-Agent. Also, they provided a "Host:" header (not shown here) that specified the web server's IP address, rather than its hostname.

These probes came from 95.111.68.120 in Bulgaria. According to Spamhous CBL, this IP was associated with Gameover Zeus malware. The infected system attempted to access pages used by phpMyAdmin, a popular MySQL administration tool. The scanner looked for vulnerabilities in phpMyAdmin that it could exploit.

According to Phil Riesch, User-Agent "ZmEu" is used by "a security tool used for discovering security holes" in phpMyAdmin. Older web probes associated with this tool included a reference to its potential origin and pointed to a now-defunct website:

Made by ZmEu @ WhiteHat Team - www. whitehat.ro

Someone seemed to be using a bot network to scan for vulnerable phpMyAdmin systems, though the reference to "ZmEu" could have been added regardless of whether that was the tool that the attacker actually employed.

This completes the overview of the suspicious activities I observed recently on a brand new web server that should not have seen any connections. Such probes are easy to notice on a non-production system like that. On most real servers, they probably go unnoticed, blending into the noise that comprises today's Internet traffic.

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more