Security Incidents mailing list archives
RE: \x HTTP requests
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Thu, 9 Nov 2006 16:56:11 -0500
Found the culprit SSL client trying to hand shake SSL on port 80 Jeff Lake, Richard Sammet and Thierry Zoller gave me nice explanations I have been able to reproduce these with openssl s_client -connect y.y.y.y:80 (where y.y.y.y is our site IP) log result : y.y.y.z - - [09/Nov/2006:16:41:15 -0500] "\x80\x8c\x01\x03\x01" 200 14261 "-" "-" this line shows no UA, no HTTP verb, ... only hex chars in request running tcpdump, apache returns this string : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>..... to /index.html not supported.<br /> </p> </body></html> without any HTTP header neil : we still see a 200 response in logs but tcpdump shows apache did not returned anything good I'll take a deep look into Apache's config to see if we forgot any Listen 443 (thanks Robert for pointing it out) nick : we do not run Squirrel thanks all for explanations Have a nice day Maxime Ducharme -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Maxime Ducharme Envoyé : 9 novembre, 2006 10:51 À : incidents () securityfocus com Objet : \x HTTP requests Hello list I see these HTTP request and I'm looking for more information : ... x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-" x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-" x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-" x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-" Would it be someone attempting to send https request on my port 80 ? Any clue would be appreciated Have a nice day Maxime Ducharme ---------------------------------------------------------------------------- -- This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- \x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Thierry Zoller (Nov 09)
- RE: \x HTTP requests ROPERT François (Nov 09)
- RE: \x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Richard Sammet (Nov 13)
- <Possible follow-ups>
- Re: \x HTTP requests Neil Dickey (Nov 09)