I spun up a new machine on Digital Ocean today which is pre-configured with a web environment. I made an initial request to the new site and found the following (IP address redacted) in my nginx access logs:
218.65.131.13 - - [16/Apr/2015:07:14:50 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:07:42:59 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.13 - - [16/Apr/2015:08:04:08 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:08:36:15 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
It's obvious that they somehow managed to sniff the request and look to have subsequently passed the request URL to the server 218.65.131.13
because the log also includes the non-standard port number I had used. I did a reverse IP lookup and found this IP to be owned by China Telecom, as shown here.
This is a bit troubling since I made the request from a hosted DigitalOcean server to another brand new DigitalOcean server.
I did a traceroute after the fact which didn't turn up anything interesting:
traceroute to 111.111.111.111 (111.111.111.111), 30 hops max, 60 byte packets
1 162.243.160.253 (162.243.160.253) 0.459 ms 0.440 ms 0.417 ms
2 198.211.111.70 (198.211.111.70) 0.407 ms 0.398 ms 198.211.111.66 (198.211.111.66) 0.797 ms
3 xe-0-3-0-28.r05.nycmny01.us.bb.gin.ntt.net (204.2.241.49) 1.029 ms nyk-b2-link.telia.net (62.115.45.1) 0.705 ms 0.702 ms
4 xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110) 1.631 ms nyk-bb2-link.telia.net (213.155.130.31) 0.752 ms xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110) 1.620 ms
5 nyk-b3-link.telia.net (80.91.247.21) 1.234 ms 162.243.188.230 (162.243.188.230) 1.602 ms 162.243.188.242 (162.243.188.242) 1.869 ms
6 digitalocean-ic-306497-nyk-b3.c.telia.net (62.115.45.6) 1.863 ms digitalocean-ic-306498-nyk-b3.c.telia.net (62.115.45.10) 1.588 ms example.com (111.111.111.111) 1.576 ms
Any suggestions on what I should be looking for in regards to tracking down how this request was leaked/shared or if there's a security breach somewhere?