Re: GET x HTTP/1.0

From: John (johnsat_private)
Date: Tue Jul 24 2001 - 22:02:31 PDT

Next message: Ryan McDonnell: "RE: Weird Web Requests"

Previous message: borakovej: "SIRCAM WORM?"
In reply to: Greg Owen: "GET x HTTP/1.0"
Next in thread: Seth Milder: "Re: GET x HTTP/1.0"
Next in thread: Ross Oldbury: "Re: GET x HTTP/1.0"
Reply: Seth Milder: "Re: GET x HTTP/1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I get these all the time. I think this is a worm probing for HTTPd
versions. I forget which worm in particular, but I am sure of this.
I don't think this was publicized though.

I got the same two probes from the same two hosts. Actually, they
probe my HTTPd servers quite often.

[Mon Jul 23 09:22:45 2001] [error] [client 168.160.233.104] Invalid 
URI in request GET x HTTP/1.0

168.160.233.104 - - [23/Jul/2001:09:22:46 -0400] "GET x HTTP/1.0" 400
352
211.137.65.157 - - [15/Jul/2001:17:59:17 -0400] "GET x HTTP/1.0" 400 352

Greg Owen wrote:
> 
>     Two of these showed up in my web server logs today:
> 
> 202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328
> 202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328
> 
> inetnum              202.100.68.0 - 202.100.68.255
> netname              FEITIAN-INTERNET-COMPANY
> descr                Feitian Internet Company
> descr                Lanzhou,Gansu
> descr                China
> country              CN
> 
> inetnum              202.99.64.0 - 202.99.127.255
> netname              CHINANET-TJ
> descr                CHINANET Tianjin province network
> descr                Data Communication Division
> descr                China Telecom
> country              CN
> 
>     A quick google search showed one other person wondering what it was and
> commenting they mostly seemed to be china, and a bunch of server logs that
> showed the same hit.
> 
>     Anybody know what this is?  The source makes me wonder.
> 
> --
>         gowen -- Greg Owen -- gowenat_private
>         79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
The events which transpired five thousand years ago; Five 
years ago or five minutes ago, have determined what will
happen five minutes from now; five years From now or five
thousand years from now. All history is a current event.
- Dr John Henrik Clake -

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan McDonnell: "RE: Weird Web Requests"
Previous message: borakovej: "SIRCAM WORM?"
In reply to: Greg Owen: "GET x HTTP/1.0"
Next in thread: Seth Milder: "Re: GET x HTTP/1.0"
Next in thread: Ross Oldbury: "Re: GET x HTTP/1.0"
Reply: Seth Milder: "Re: GET x HTTP/1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:05:19 PDT