RE: \x HTTP requests

["Maxime Ducharme" <mducharme () cybergeneration com>]

Found the culprit

SSL client trying to hand shake SSL on port 80

Jeff Lake, Richard Sammet and Thierry Zoller
gave me nice explanations

I have been able to reproduce these with
openssl s_client -connect y.y.y.y:80

(where y.y.y.y is our site IP)

log result :
y.y.y.z - - [09/Nov/2006:16:41:15 -0500] "\x80\x8c\x01\x03\x01" 200 14261
"-" "-"

this line shows no UA, no HTTP verb, ... only hex chars in request

running tcpdump, apache returns this string :
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>..... to /index.html not supported.<br />
</p>
</body></html>

without any HTTP header

neil : we still see a 200 response in logs but tcpdump shows
apache did not returned anything good

I'll take a deep look into Apache's config to see if we forgot any
Listen 443 (thanks Robert for pointing it out)

nick : we do not run Squirrel

thanks all for explanations

Have a nice day

Maxime Ducharme
 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la part de Maxime Ducharme
Envoyé : 9 novembre, 2006 10:51
À : incidents () securityfocus com
Objet : \x HTTP requests

 
Hello list
 
I see these HTTP request and I'm looking for more information :

... 
x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-"
x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"
 
Would it be someone attempting to send https request on my port 80 ?
 
Any clue would be appreciated
 
Have a nice day
 
Maxime Ducharme


----------------------------------------------------------------------------
--
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of
your 
security environment. Featuring 36 hands-on training courses and 10
conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations.


http://www.blackhat.com
----------------------------------------------------------------------------
--



------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------