Strange Server Requests

[milonic]

Hi All,

My Local Development Linux box is making very odd requests to search engines and it appears to be a weekly event judging by the logs:

August 17
August 10
August 3
July 27
July 20 and so on

Looks like they are all looking at port 80 - Only trouble is that this box is on our local network and behind a firewall that blocks all inbound traffic so what's happening? There is one IP Address that stands out and that is from insiderinfoDotCom - Could this be the culprit?

Heres a list of the IP Addresses:

From 72.30.186.25 - 3 packets - AllTheWeb
From 74.125.79.99 - 1 packet - Google
From 74.125.79.104 - 1 packet - Google
From 74.125.79.106 - 1 packet - Google
From 75.101.145.196 - 1 packet - DEAD
From 92.122.126.232 - 1 packet - 404 Error
From 92.122.127.25 - 1 packet - 404 Error
From 209.202.254.14 - 18 packets - insiderinfo dot com


Anybody have any ideas what is going on?

Cheers,
Andy

[explorador]

YOUR box is CALLING the SE????

I have an issue... I have private urls, non public, no way others could find out but still alexa has found them. Check your software, perhaps your browser is revealing the data or "calling home". This actually would be a security issue on the software.

[wige]

Andy,

The From line indicates to me that the traffic is coming from the search engines to your box rather than the other way around. Is it possible there is a domain name pointing to your server, or that your IP address had previously had a server on it? Search engines do not update their internal DNS systems as often as regular clients, so they may still hit an old IP address.

explorador,

Alexa is essentially spyware. The only way they find out about URLs is if a user visits that URL while using any Alexa toolbar or browser plugin. If Alexa found out about a "private" URL, that is the most likely cause.

[explorador]

Quote:

Originally Posted by wige

Andy,

Alexa is essentially spyware. The only way they find out about URLs is if a user visits that URL while using any Alexa toolbar or browser plugin. If Alexa found out about a "private" URL, that is the most likely cause.

zero toolbars here

[subsystems]

I think I would take a look at the logs to see if the time of the events were about the same time on those dates. Then I would change the system date and time to August 24th and see if any processes startup at those times. Browser windows, software updates, etc.

If you can adjust the date and time and get the events to show in the logs at will then you can experiment with a few things to give you more of a clue.
Try unplugging the network cable at that time and see if the logs change.
Try disabling your primary and secondary DNS. You'll know if they are hard coded IP or domain requests.
Try moving your system to a different IP.
This will take a bit of work but you could put a different system on that IP and see if it is some external event triggering it at that IP. Perhaps boot off a Live CD.

This may not reveal anything but the results should help to narrow down the possibilites.

It wouldn't take much to trigger all of these requests.

[milonic]

Sorry guys, it should have read - my server is RECEIVING, instead MAKING requests.

Anyway, let me straighten things up. This box is on our local network and has an ip address of 192.168.0.2.

Now, the main router (connected to the Internet) has been told to block ALL incoming traffic to ALL except for one machine which is on 192.168.0.19 so the server should not be receiving any requests from external IP Addresses.

This seems to be working fine except for a weekly event that happens in the early hours of the morning between 4am and 6am - it's always a random time so I guess it's not a cron job running on our servers.

I only know about these requests because of the firewall logs on the server - the requests are being blocked but I'm confused and concerned as the how the hell they are getting to the server at all.

I do spot a week point in that 192.168.0.19 is a Windows box running a CCTV Camera system with several ports open to all: 80,3389,4550,5550 - it's been checked though and nothing nasty is running on that server.

I'm currently stumped but will keep digging

Cheers,
Andy

[milonic]

UPDATE: I've just closed all open ports to the CCTV system.

Now absolutely nothing should be coming into our network from external sources - we shall see what happens next Monday - as the 24th is due for another hit.

[wige]

Does the main router have a firewall log you can check? Even if the system that takes requests was compromised, the system that is receiving packets should not show external addresses for the incoming traffic. If this was a response to an outgoing request, the traffic would be coming in on a randomly assigned listening port (probably in the 4000-6000 range), not port 80.

[milonic]

Argh, just seen that the router is not logging to syslog because it's disabled on the server.

I've enabled it now - we'll see what the logs say on Monday then )

[subsystems]

It might be a piece of spyware on a PC on your lan. It may be spoofing it's IPs so they look like regular requests from known sources. The spyware would know about the local server because LAN requests are going to that server. It's already behind the main firewall. Just a thought.

[milonic]

Well, it would seem that it's the Windows CCTV System that's the culprit.

After closing its open ports our servers have not received any strange requests from inside our network.

I'll open them up again and see if it does it again next week.

Now that I'm logging the routers every move, I just might find out what is going on.

[deepsand]

Interesting; but, not surprising.

Boxes dedicated to data collection have long been overlooked by many as playing a role in matters of security.