Security Incidents mailing list archives
Re: Strange web request
From: zeno <bugtraq () cgisecurity net>
Date: Tue, 12 Feb 2002 13:02:24 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hm. I had somebody report similar traffic to dshield.org last week. Some new toy? But in his case, it was actually directed at a web server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly like that.
well HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a webbot that lost its way? Did anyone running a webserver get a different error code other then 200 or 404? - zeno () cgisecurity com
Hi folks, Has anyone seen a request like this before ? It's either a l33t0 trick or some seriously broken code; since I've never seen this sequence before I was curious of anyone else has. This hit an sshd listening on port 80 btw, source IP obviously changed ;-) Cheers. Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787 Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification 'http://%a:%p/,HEAD /' from 1.2.3.4 Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281 Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282 Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification '' from 1.2.3.4 Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for 1.2.3.4 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com- -- - ------- jullrich () sans org Join http://www.DShield.org Distributed Intrusion Detection System -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp 4Igy4aP52APKvymjz/HsuP8= =QP4L -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange web request Nexus (Feb 12)
- Re: Strange web request Johannes B. Ullrich (Feb 12)
- <Possible follow-ups>
- Re: Strange web request zeno (Feb 12)
- Re: Strange web request Gene Barlow (Feb 13)