Re: strange web traffic

From: Etaoin Shrdlu (shrdluat_private)
Date: Tue Aug 26 2003 - 09:27:17 PDT

Next message: Bill Carlson: "Re: strange HTTP requests"

Previous message: Logan Rogers-Follis - TNTNetworx.net: "Re: ICMP port 2048 scans"
In reply to: Pall Thayer: "strange web traffic"
Next in thread: George Theall: "Re: strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pall Thayer wrote:
> 
> For the past week and a half or so, I've been noticing several strange
> entries in my webserver access log. Although they appear harmless, the
> volume of the requests worries me a bit. Here's what they look like:
> 
> 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

[...]

> What makes them strange is that when my server recieves a request for the
> root file, it should result in five seperate requests. A legitimate request
> looks like this:

[...]

> The dodgy ones only appear once and another thing that makes them strange is
> that aside from the IP number, they are all identical:
> 
> GET / HTTP/1.1" 200 686 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

Yep. Seen this. To remove your suspense, or at least to allay your
curiousity, I can tell you that I've seen a large amount of this traffic,
almost always directed at a machine that was running WinXP up until DefCon
(August 1, 2003, for those that want exactitude). I enabled apache on it
long enough to log, and got precisely this response.

These probes would not have interested me, if it had not been that they
seemed paired with the random nachia/blaster noise that so afflicts DSL
space right now. Invariably, these machines are actually running a
vulnerable copy of Win2k. I got bored and quit poking after that.
Truthfully, is there such a thing as a non-vulnerable copy of anything
microsoftian? Probably not.

No, I didn't leave apache up. Yes, I was logging other things at the time
(anyone who knows me at all knows that I tend to be watching the packet
stream live; I'm my own favorite IDS). No, there are no other attempts. The
machine is currently running OpenBSD 3.2 (it was the first CD that loaded
cleanly on my laptop). I wonder if the responses would have been greater,
or more complex, if my apache had claimed to be IIS?

> Anyone have any info on this?

Hoped that helped, at least in satisfying your curiosity.

--
In April 1951, Galaxy published C.M. Kornbluth's "The Marching Morons".
The intervening years have proven Kornbluth right.

               --Valdis Kletnieks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Bill Carlson: "Re: strange HTTP requests"
Previous message: Logan Rogers-Follis - TNTNetworx.net: "Re: ICMP port 2048 scans"
In reply to: Pall Thayer: "strange web traffic"
Next in thread: George Theall: "Re: strange web traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 16:46:52 PDT