RE: GET x HTTP/1.0

From: Portnoy, Gary (gportnoyat_private)
Date: Tue Jul 24 2001 - 08:31:05 PDT

  • Next message: Seth Milder: "Re: GET x HTTP/1.0"

    If my memory serves me right, I was seeing these entries on my apache
    servers at the same time as I was seeing the sadmin worm trying to do the
    unicode traversals on my IIS boxes.  I believe it's a way to judge the
    server running on the machine.  
    
    For example,
    From apache:
    207.239.238.36 - - [12/Jul/2001:21:29:54 -0400] "GET x HTTP/1.0" 400 333
    
    From IIS (the time on IIS is UTC):
    01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 -
    01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 -
    01:29:55 207.239.238.36 - WEBMAIL01 GET
    /scripts/..?%pc../winnt/system32/cmd.exe 403 -
    01:29:55 207.239.238.36 - WEBMAIL01 GET
    /scripts/..?%9v../winnt/system32/cmd.exe 403 -
    01:29:55 207.239.238.36 - WEBMAIL01 GET
    /scripts/..?%qf../winnt/system32/cmd.exe 403 -
    01:29:55 207.239.238.36 - WEBMAIL01 GET
    /scripts/..?%8s../winnt/system32/cmd.exe 403 -
    
    The interesting thing was that I wasn't seeing these "GET x" logged on the
    IIS boxes...  
    
    I just ran a test. 
    -----------------------------------------
    GET x HTTP/1.1\r\n
    
    HTTP/1.1 400 Bad Request\r\n
    Server: Microsoft-IIS/4.0\r\n
    Date: Tue, 24 Jul 2001 15:27:46 GMT\r\n
    
    But nothing is logged.  
    ------------------------------------------
    GET /x HTTP/1.1\r\n
    
    HTTP/1.1 404 Object Not Found\r\n
    Server: Microsoft-IIS/4.0\r\n
    Date: Tue, 24 Jul 2001 15:28:18 GMT\r\n
    
    This one logs an error:
    15:28:18 10.1.1.62 - WEBMAIL01 GET /x 404 -
    ------------------------------------------
    
    I find that IIS logging leaves much to be desired...
    
    HTH
    
    -Gary-
    
    -----Original Message-----
    From: Greg Owen [mailto:gowenat_private]
    Sent: Monday, July 23, 2001 9:20 PM
    To: incidentsat_private
    Subject: GET x HTTP/1.0
    
    
    
        Two of these showed up in my web server logs today:
    
    202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328
    202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328
    
    inetnum              202.100.68.0 - 202.100.68.255
    netname              FEITIAN-INTERNET-COMPANY
    descr                Feitian Internet Company
    descr                Lanzhou,Gansu
    descr                China
    country              CN
    
    inetnum              202.99.64.0 - 202.99.127.255
    netname              CHINANET-TJ
    descr                CHINANET Tianjin province network
    descr                Data Communication Division
    descr                China Telecom
    country              CN
    
        A quick google search showed one other person wondering what it was and
    commenting they mostly seemed to be china, and a bunch of server logs that
    showed the same hit.
    
        Anybody know what this is?  The source makes me wonder.
    
    --
            gowen -- Greg Owen -- gowenat_private
            79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:56:10 PDT