Re: GET x HTTP/1.0

From: dr john halewood (johnat_private)
Date: Tue Jul 24 2001 - 08:22:34 PDT

  • Next message: Portnoy, Gary: "RE: GET x HTTP/1.0"

    On Tuesday 24 July 2001 02:19, Greg Owen wrote:
    >     Two of these showed up in my web server logs today:
    >
    > 202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328
    > 202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328
    
    I've seen a total of 61 of these requests, starting on 05/05/2001 and turning 
    up every few days thereafter, mostly coming from the apnic netblocks 202/8, 
    203/8, 210/8 and 211/8, but also some from 150.43/16 (a Japanese Technical 
    College) and a few from assorted US cable/DSL networks. I can't think of any 
    practical purpose for them, unless it's looking for traces of an as yet (to 
    me, anyway) undocumented worm. Another thing to note in the scans I've 
    discovered is that they've mostly been scanning netblocks: amongst other 
    things I look after a /27 netblock that has a number of web servers which 
    seem to have been scanned contiguously.
    
    cheers
    john
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:53:53 PDT