There is a very interesting write up on SANS about an interesting anomaly in some web logs. A lot of people are seeing what appears to be a scan for web proxies that appears to be originating from an IP address registered to China Network Communications Group Corporation.When attempting to connect to 9966.org there was no HTTP server listening at post time.
So here is an example URL that might show up in your logs:http://check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn/Provy_OK.html
running the host command on the above hostname provides:
check.216.109.136.53.v.80.pw1.super.proxy.scanner.i.thu.cn has address 61.135.170.153
Hrm. 216.109.136.53 is a an IP in Hoboken, NJ. Thats about 6800 miles away from the host in China (61.135.170.153
Now is it possible that the Chinese government is sweeping for open proxies? Or is this some industrious soul searching for a way out? When the URL for the block owner was entered into my browser I was redirected to what appears to be an ISP page. My Chinese is rusty non-existent. So, I can’t be certain.
UPDATE: This activity appears to be related to a scanning tool call “proxy_scanner” which was released in Chinese hacker circles in 2004. The site www.io8.org was used to distribute this tool and traffic related to that site was sent in to us as well.
Source Link
[tags]China, Proxy[/tags]