1

I spun up a new machine on Digital Ocean today which is pre-configured with a web environment. I made an initial request to the new site and found the following (IP address redacted) in my nginx access logs:

218.65.131.13 - - [16/Apr/2015:07:14:50 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:07:42:59 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.13 - - [16/Apr/2015:08:04:08 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:08:36:15 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

It's obvious that they somehow managed to sniff the request and look to have subsequently passed the request URL to the server 218.65.131.13 because the log also includes the non-standard port number I had used. I did a reverse IP lookup and found this IP to be owned by China Telecom, as shown here.

This is a bit troubling since I made the request from a hosted DigitalOcean server to another brand new DigitalOcean server.

I did a traceroute after the fact which didn't turn up anything interesting:

traceroute to 111.111.111.111 (111.111.111.111), 30 hops max, 60 byte packets
 1  162.243.160.253 (162.243.160.253)  0.459 ms  0.440 ms  0.417 ms
 2  198.211.111.70 (198.211.111.70)  0.407 ms  0.398 ms 198.211.111.66 (198.211.111.66)  0.797 ms
 3  xe-0-3-0-28.r05.nycmny01.us.bb.gin.ntt.net (204.2.241.49)  1.029 ms nyk-b2-link.telia.net (62.115.45.1)  0.705 ms  0.702 ms
 4  xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110)  1.631 ms nyk-bb2-link.telia.net (213.155.130.31)  0.752 ms xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110)  1.620 ms
 5  nyk-b3-link.telia.net (80.91.247.21)  1.234 ms 162.243.188.230 (162.243.188.230)  1.602 ms 162.243.188.242 (162.243.188.242)  1.869 ms
 6  digitalocean-ic-306497-nyk-b3.c.telia.net (62.115.45.6)  1.863 ms digitalocean-ic-306498-nyk-b3.c.telia.net (62.115.45.10)  1.588 ms example.com (111.111.111.111)  1.576 ms

Any suggestions on what I should be looking for in regards to tracking down how this request was leaked/shared or if there's a security breach somewhere?

Corey Ballou
  • 168
  • 1
  • 7
  • If you're concerned with your IP being in the body, you might want to also remove your domain name from the traceroute output, also there is a nice [meta post](http://meta.serverfault.com/questions/963/what-information-should-i-include-or-obfuscate-in-my-posts/6063#6063). About what to obfuscate and how. – Reaces Apr 16 '15 at 13:22
  • @Reaces the domain is a replacement as well but I'll use the standard example.com just so people know. – Corey Ballou Apr 16 '15 at 13:26
  • Wait, where did I get ruby-mynew************.co from then? I can't see it in the edit history. However the domain pings back to DigitalOcean. I must be going blind. – Reaces Apr 16 '15 at 13:29

0 Answers0