That brings up a good point...I wasn't thinking about that when it occurred... but the scanner was the port scanner provided by LANGuard aka GFI (http://www.gfi.com)... ----- Original Message ----- From: "zeno" <bugtraqat_private> To: <btraquerat_private> Cc: <incidentsat_private> Sent: Tuesday, February 12, 2002 15:54 Subject: Re: Strange web request > > > > I've seen this kind of request before and was able to reproduce it by doing > > a port scan on the web server... > > Which port scanner sends a HEAD request? Odd. > > - zeno > > > > > > Gene... > > > > > > ----- Original Message ----- > > From: "zeno" <bugtraqat_private> > > To: "Johannes B. Ullrich" <jullrichat_private> > > Cc: "Nexus" <nexusat_private-way.co.uk>; <incidentsat_private> > > Sent: Tuesday, February 12, 2002 11:02 > > Subject: Re: Strange web request > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > > > > > Hm. I had somebody report similar traffic to dshield.org last week. > > > > Some new toy? But in his case, it was actually directed at a web > > > > server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly > > > > like that. > > > > > > well > > > > > > HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a webbot > > that > > > lost its way? Did anyone running a webserver get a different error code > > > other then 200 or 404? > > > > > > > > > - zenoat_private > > > > > > > > > > > > > > > > > > > > > > > Hi folks, > > > > > Has anyone seen a request like this before ? It's either a l33t0 > > trick > > > > > or some seriously broken code; since I've never seen this sequence > > before I > > > > > was curious of anyone else has. This hit an sshd listening on port > > 80 btw, > > > > > source IP obviously changed ;-) > > > > > > > > > > Cheers. > > > > > > > > > > Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787 > > > > > Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol version > > identification > > > > > 'http://%a:%p/,HEAD /' from 1.2.3.4 > > > > > Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281 > > > > > Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282 > > > > > Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol version > > identification '' > > > > > from > > > > > 1.2.3.4 > > > > > Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before > > authentication for > > > > > 1.2.3.4 > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > -- > > > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > > > For more information on this free incident handling, management > > > > > and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > > > > > > > > - -- > > > > - ------- > > > > jullrichat_private Join http://www.DShield.org > > > > Distributed Intrusion Detection System > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v1.0.6 (GNU/Linux) > > > > Comment: For info see http://www.gnupg.org > > > > > > > > iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp > > > > 4Igy4aP52APKvymjz/HsuP8= > > > > =QP4L > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > -- > > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > > For more information on this free incident handling, management > > > > and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- > > -- > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > For more information on this free incident handling, management > > > and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 08:59:44 PST