Re: Which webserver exploit is this?

[Richard Bartlett <richard () DEOR CO UK>]

Hi,

Could this be a scan by Robin Keir's Superscan?  It's available at
http://members.home.com/rkeir/software.html and is a nice enough port
scanner (if noisy).  If you look at the Port list setup, each port has a
setting called 'Probe Text', which is designed to grab banners etc. by
entering port specific date like HEAD commands.  The setting for port 80 is;

  http://%a:%p/,HEAD /\r\n\r\n

which seems to match up - you're correct that %a should be the IP address
and %p the port, but I can't see how they managed to enter this without the
parameters being filled - perhaps it is a misused script, or some really
dumb cut'n'paste error.

Richard


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Michael Cook
Sent: Sunday, July 23, 2000 9:42 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Which webserver exploit is this?


On Sat, 22 Jul 2000, Matthew Breitenstine wrote:

> his.ip.net - - [16/Jul/2000:20:21:10 -0500] "http://%a:%p/,HEAD /" 501 -

I have a similar entry appearing several days ago.  It accompanied a very
noisy port scan (did a full connect scan to a wide range of ports on every
IP).  I figured it was a misconfigured script being executed by some
k1ddi3z, with the %a and %p being substitute variables, like address and
port.  I'm curious if anyone else knows what it is.

--
Michael Cook (michael () ink org) http://www2.ink.org/~michael/

Ignorance is bliss; log to /dev/null.