| Paul Jungwirth on 5 Apr 2018 08:06:17 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| [PLUG] More strange web traffic (was: Re: understanding Russian threats) |
On Wed, Apr 4, 2018 at 5:13 PM, Calvin Morrison <mutantturkey@gmail.com
<mailto:mutantturkey@gmail.com>> wrote:
I for one embrace our new russian overlords! I am actually learning
Russian on duolingo right now.
I saw some strange traffic on a machine last week, and I was wondering if anyone could suggest was it was about?
My nginx config had a block to redirect http over to https, like this:
server {
listen 80;
server_name example.com *.example.com;
return 301 https://$host$request_uri;
}
And I was getting tons of requests with full URLs, like you'd send to a
proxy:
GET http://www.ioffer.com/i/new-fashion-fine-gold-bracelet-versaec-bracelet-641175733 HTTP/1.1
Because of the `$host` in my config, I was doing a redirect to the requested full URL.
Almost all the requests had Chinese-sounding domain names (so not Russians ;-) and seemed shopping-related. It didn't look like the usual scanning for /unpatched.php or whatever, but seemed to serve some other purpose. But what? (Note I was not actually proxying the requests, just responding with a 301.)
I wrote more details here: https://illuminatedcomputing.com/posts/2018/03/nginx_https_redirect/
If anyone has any ideas what the point of this traffic could be, I'd love to know!
--
Paul ~{:-)
pj@illuminatedcomputing.com
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug