On Sun, 21 Jul 2013, rotpoison throngnet wrote:
I am hoping that some other exit relay operators can sniff for packets to destination port 8118
I set up a copy of nginx returning 404s on that port. After a few thousand requests, here are the hostnames it is trying to hit:
4655 ib.adnxs.com 2193 ad.globe7.com 1705 ads.creafi-online-media.com 1149 ad.tagjunction.com 767 ad.yieldmanager.com 259 an.z5x.net 184 ad.z5x.net 123 ad.xertive.com 115 ib.reachjunction.com 80 tags1.z5x.net 72 ad.bharatstudent.com 71 ad.reduxmedia.com 23 ad.smxchange.com 18 opt.cdxndirectopt.com 10 www.xtendadvert.com
It might be worth digging up the security contact for at least the top few of those and give them a heads up.
And the /24s that have sent at least 100 requests (of 811 unique IPs from 122 /24s):
1182 23.19.54.0/24 878 173.234.116.0/24 645 208.115.124.0/24 639 173.208.16.0/24 585 23.19.130.0/24 398 64.120.5.0/24 397 64.31.43.0/24 389 64.31.38.0/24 376 64.31.63.0/24 369 173.234.41.0/24 362 108.62.236.0/24 351 23.19.107.0/24 328 173.234.33.0/24 319 64.31.39.0/24 291 108.62.192.0/24 280 108.62.5.0/24 272 173.208.83.0/24 262 208.115.245.0/24 238 69.162.66.0/24 237 70.32.43.0/24 229 216.245.219.0/24 223 64.31.52.0/24 191 64.120.77.0/24 184 173.234.42.0/24 180 64.120.60.0/24 172 63.143.53.0/24 172 23.19.76.0/24 172 23.19.35.0/24 172 173.234.188.0/24 163 173.208.85.0/24 159 208.115.200.0/24 150 173.234.224.0/24 149 173.234.247.0/24 147 64.120.58.0/24 143 74.63.232.0/24 143 74.63.192.0/24 137 108.171.248.0/24 132 64.31.62.0/24 120 108.62.40.0/24 116 64.31.48.0/24 114 173.234.153.0/24 113 74.63.255.0/24 113 108.177.183.0/24 112 69.162.75.0/24 108 208.115.246.0/24 103 74.63.199.0/24 100 63.143.59.0/24
These are very unlikely to have been spoofed, as they were from completed TCP connections.
-- Aaron