I help run a network, and have noticed a number of users devices hitting strange URLs - one for example is pasted below. All appear in the same format with a static IP and an encoded path.
For all of the URLs I've checked, they all seem to be operating a web server on port 2080, which is "Powered by wjas". I haven't found any useful information about this sort of web server
# curl http://126.96.36.199 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <h1>403 Forbidden</h1> <p>You don't have permission to access the URL on this server. Sorry for the inconvenience.<br/> Please report this message and include the following information to us.<br/> Thank you very much!</p> <table> <tr> <td>URL:</td> <td>http://188.8.131.52:2080/</td> </tr> <tr> <td>Server:</td> <td>aserver010103188140.et2</td> </tr> <tr> <td>Date:</td> <td>2016/09/20 19:33:57</td> </tr> </table> <hr/>Powered by wjas</body> </html>
Does anyone have any information about what type of server these clients are connecting to, or what the data is in the encoded string, or what I should be looking out for on the client machines?