On Tue, 26 Aug 2003 bugtraqat_private wrote: > This is a perfectly valid http request. Opening up a raw connection to "vh.org" I see the following. > > Request > GET / HTTP/1.0 > Host: vh.org Valid yes. Suspicious, also yes. Any of the many client browsers, indeed many web spiders will at least send an Agent header. The sparse request alone does not equal hositile intent, I agree. However, the same user attempting to visit the URL "http://vh.org/" every five minutes, 24/7? Not normal behavior. > I suspect #1 confidently. This would be something in your site configuration and not an attack, at least not with the information > you provided below. I would read RFC 2616 for more information on HTTP 1.1 and how it works. I am well aware of HTTP/1.1 and its workings, my configuration is by design, not accident. Bill Carlson -- Systems Administrator wcarlsonat_private | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 18:12:21 PDT