Re: Strange web request

From: zeno (bugtraqat_private)
Date: Tue Feb 12 2002 - 10:02:24 PST

Next message: Joakim Aronius (QRA): "RE: Malicious web sites"

Previous message: Johannes B. Ullrich: "Re: Strange web request"
Next in thread: Gene Barlow: "Re: Strange web request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hm. I had somebody report similar traffic to dshield.org last week.
> Some new toy? But in his case, it was actually directed at a web
> server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly
> like that.

well 

HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a webbot that
lost its way? Did anyone running a webserver get a different error code
other then 200 or 404?


- zenoat_private


> 
> 
> 
> > Hi folks,
> >     Has anyone seen a request like this before ?   It's either a l33t0 trick
> > or some seriously broken code; since I've never seen this sequence before I
> > was curious of anyone else has.   This hit an sshd listening on port 80 btw,
> > source IP obviously changed ;-)
> > 
> > Cheers.
> > 
> > Feb  8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787
> > Feb  8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification
> > 'http://%a:%p/,HEAD /' from 1.2.3.4
> > Feb  8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281
> > Feb  8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282
> > Feb  8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification ''
> > from
> > 1.2.3.4
> > Feb  8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for
> > 1.2.3.4
> > 
> > 
> > 
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management 
> > and tracking system please see: http://aris.securityfocus.com
> > 
> > 
> 
> - -- 
> - -------
> jullrichat_private                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp
> 4Igy4aP52APKvymjz/HsuP8=
> =QP4L
> -----END PGP SIGNATURE-----
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Joakim Aronius (QRA): "RE: Malicious web sites"
Previous message: Johannes B. Ullrich: "Re: Strange web request"
Next in thread: Gene Barlow: "Re: Strange web request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 12:37:26 PST