Strange web request

From: Nexus (nexusat_private-way.co.uk)
Date: Tue Feb 12 2002 - 09:17:18 PST

Next message: Johannes B. Ullrich: "Re: Strange web request"

Previous message: VanMeter, John: "Malicious web sites"
Next in thread: Johannes B. Ullrich: "Re: Strange web request"
Reply: Johannes B. Ullrich: "Re: Strange web request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks,
    Has anyone seen a request like this before ?   It's either a l33t0 trick
or some seriously broken code; since I've never seen this sequence before I
was curious of anyone else has.   This hit an sshd listening on port 80 btw,
source IP obviously changed ;-)

Cheers.

Feb  8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787
Feb  8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification
'http://%a:%p/,HEAD /' from 1.2.3.4
Feb  8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281
Feb  8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282
Feb  8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification ''
from
1.2.3.4
Feb  8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for
1.2.3.4



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johannes B. Ullrich: "Re: Strange web request"
Previous message: VanMeter, John: "Malicious web sites"
Next in thread: Johannes B. Ullrich: "Re: Strange web request"
Reply: Johannes B. Ullrich: "Re: Strange web request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:58:01 PST