Security Incidents mailing list archives

Re: GET x HTTP/1.0

From: dr john halewood <john () frumious unidec co uk>
Date: Tue, 24 Jul 2001 16:22:34 +0100

On Tuesday 24 July 2001 02:19, Greg Owen wrote:

    Two of these showed up in my web server logs today:

202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328
202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328


I've seen a total of 61 of these requests, starting on 05/05/2001 and turning 
up every few days thereafter, mostly coming from the apnic netblocks 202/8, 
203/8, 210/8 and 211/8, but also some from 150.43/16 (a Japanese Technical 
College) and a few from assorted US cable/DSL networks. I can't think of any 
practical purpose for them, unless it's looking for traces of an as yet (to 
me, anyway) undocumented worm. Another thing to note in the scans I've 
discovered is that they've mostly been scanning netblocks: amongst other 
things I look after a /27 netblock that has a number of web servers which 
seem to have been scanned contiguously.

cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

GET x HTTP/1.0 Greg Owen (Jul 23)
- Re: GET x HTTP/1.0 Phil Sorber (Jul 24)
- Re: GET x HTTP/1.0 jlewis (Jul 24)
- Re: GET x HTTP/1.0 John (Jul 24)
  - Re: GET x HTTP/1.0 Seth Milder (Jul 24)
- Re: GET x HTTP/1.0 Ross Oldbury (Jul 24)
- Re: GET x HTTP/1.0 dr john halewood (Jul 24)
- Re: GET x HTTP/1.0 Patryk Chmielewski (Jul 24)
- <Possible follow-ups>
- RE: GET x HTTP/1.0 Portnoy, Gary (Jul 24)