Security Incidents mailing list archives
Re: GET x HTTP/1.0
From: dr john halewood <john () frumious unidec co uk>
Date: Tue, 24 Jul 2001 16:22:34 +0100
On Tuesday 24 July 2001 02:19, Greg Owen wrote:
Two of these showed up in my web server logs today: 202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328 202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328
I've seen a total of 61 of these requests, starting on 05/05/2001 and turning up every few days thereafter, mostly coming from the apnic netblocks 202/8, 203/8, 210/8 and 211/8, but also some from 150.43/16 (a Japanese Technical College) and a few from assorted US cable/DSL networks. I can't think of any practical purpose for them, unless it's looking for traces of an as yet (to me, anyway) undocumented worm. Another thing to note in the scans I've discovered is that they've mostly been scanning netblocks: amongst other things I look after a /27 netblock that has a number of web servers which seem to have been scanned contiguously. cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- GET x HTTP/1.0 Greg Owen (Jul 23)
- Re: GET x HTTP/1.0 Phil Sorber (Jul 24)
- Re: GET x HTTP/1.0 jlewis (Jul 24)
- Re: GET x HTTP/1.0 John (Jul 24)
- Re: GET x HTTP/1.0 Seth Milder (Jul 24)
- Re: GET x HTTP/1.0 Ross Oldbury (Jul 24)
- Re: GET x HTTP/1.0 dr john halewood (Jul 24)
- Re: GET x HTTP/1.0 Patryk Chmielewski (Jul 24)
- <Possible follow-ups>
- RE: GET x HTTP/1.0 Portnoy, Gary (Jul 24)