Security Incidents mailing list archives

Re: Strange web request

From: "Johannes B. Ullrich" <jullrich () sans org>
Date: Tue, 12 Feb 2002 13:09:03 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hm. I had somebody report similar traffic to dshield.org last week.
Some new toy? But in his case, it was actually directed at a web
server. Otherwise, the request was 'http://%s.%b/,HEAD&apos;... exactly
like that.

Hi folks,
    Has anyone seen a request like this before ?   It's either a l33t0 trick
or some seriously broken code; since I've never seen this sequence before I
was curious of anyone else has.   This hit an sshd listening on port 80 btw,
source IP obviously changed ;-)

Cheers.

Feb  8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787
Feb  8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification
'http://%a:%p/,HEAD /' from 1.2.3.4
Feb  8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281
Feb  8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282
Feb  8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification ''
from
1.2.3.4
Feb  8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for
1.2.3.4



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


- -- 
- -------
jullrich () sans org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp
4Igy4aP52APKvymjz/HsuP8=
=QP4L
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange web request Nexus (Feb 12)
- Re: Strange web request Johannes B. Ullrich (Feb 12)
- <Possible follow-ups>
- Re: Strange web request zeno (Feb 12)
- Re: Strange web request Gene Barlow (Feb 13)