Full Disclosure mailing list archives
Re: Strange HTTP requests
From: "Christian Swartzbaugh" <feofil () gmail com>
Date: Wed, 14 Jun 2006 16:23:07 -0700
My guess is that the person requesting these is building or using a HTTP Request library / plugin which generates random user agents. From CPAN this is true of PoCo::Client::HTTP which they may be using or something related. http://search.cpan.org/~rcaputo/POE-Component-Client-HTTP-0.75/lib/POE/Component/Client/HTTP.pm "If a UserAgent header is not present in the HTTP::Request, a random one will be used from those specified by the Agent parameter. If none are supplied, POE::Component::Client::HTTP will advertise itself to the server." feofil On 6/14/06, Brad Causey <bradcausey () gmail com> wrote:
Are all of the user strings the same? On 6/14/06, Shannon Johnston <sjohnston () cavionplus com> wrote: > It's all from one source IP, but the requests are for various files from various websites hosted on my servers. Different domains, different files, even different file types. It's making about 8-10 GET requests at the same time, then does it again almost exactly a minute later. I can't remember seeing anything like it before. SJ On Wed, 2006-06-14 at 22:31 +0200, php0t wrote: > -----Original Message----- > From: Shannon Johnston > Sent: Wednesday, June 14, 2006 10:17 PM > To: full-disclosure () lists grok org uk > Subject: [Full-disclosure] Strange HTTP requests > > > I'm seeing a ton of HTTP requests in the following fashion: > > > > GET index.html - 80 - <ip address> HTTP/1.1 fuujcbjbGbagkmkGuj7kmgnebl > > +qekaf - - website.com 302 0 0 532 206 218 > > The random string would normally be the user-agent. I can't help but > think this is a bot of some sort. > > Anybody know of anything that would produce this? > > Are they all index.html requests? How often do you get them? From how > many different IP's? > It could be just a proxy or a firewall set up to change the user-agent > to some random string, but whether they're surfers or bots you can tell > by looking at all such lines - to me, an index.html alone doesn't tell > me much, maybe others have seen this though and know what it is. > > php0t > www.zorro.hu > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQBEkHKfjeRCqLPCFtoRAvK9AJ90xH45lNtgkt/W+CHmpg4kEBA8dACgw9hS +tMv1fCDEZ61l7AVy6EZ1Ik= =YGuc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -Brad Causey _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Strange HTTP requests Shannon Johnston (Jun 14)
- RE: Strange HTTP requests php0t (Jun 14)
- RE: Strange HTTP requests Shannon Johnston (Jun 14)
- Re: Strange HTTP requests Brad Causey (Jun 14)
- Re: Strange HTTP requests Christian Swartzbaugh (Jun 14)
- RE: Strange HTTP requests Shannon Johnston (Jun 14)
- RE: Strange HTTP requests php0t (Jun 14)