Security Incidents mailing list archives

Re: \x HTTP requests

From: "Richard Sammet" <richard.sammet () googlemail com>
Date: Fri, 10 Nov 2006 16:01:47 +0100

oh, i missed to send the reply to the list... so here it is ;)

++++++++++++++++++++++++++++++++++++++++++

hi maxime,

yes, it seems like someone trys to connect via ssl to a none ssl port.

if you try to connect to your apaches http port with openssl s_client
(openssl s_client -host $IP_ADDR -port $PORT) you will see something
like:

127.0.0.1 - - [09/Nov/2006:19:35:31 +0100] "\x80z\x01\x03\x01" 501 279
127.0.0.1 - - [09/Nov/2006:19:38:50 +0100] "\x80\x1c\x01" 501 277
127.0.0.1 - - [09/Nov/2006:19:38:52 +0100] "\x16\x03" 501 276
127.0.0.1 - - [09/Nov/2006:19:39:02 +0100] "\x16\x03\x01" 501 277

in your logfile. this depends on the ssl version and the cipher used.

but it could also be a ssl cipher check to find weak modes/ciphers in
your configuration.


~richie

On 11/9/06, Maxime Ducharme <mducharme () cybergeneration com> wrote:


Hello list

I see these HTTP request and I'm looking for more information :

...
x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-"
x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"

Would it be someone attempting to send https request on my port 80 ?

Any clue would be appreciated

Have a nice day

Maxime Ducharme


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.World renowned security experts reveal tomorrow's threats today. Free ofvendor pitches, the Briefings are designed to be pragmatic regardless of yoursecurity environment. Featuring 36 hands-on training courses and 10 conferencetracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

\x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Thierry Zoller (Nov 09)
- RE: \x HTTP requests ROPERT François (Nov 09)
- RE: \x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Richard Sammet (Nov 13)
- <Possible follow-ups>
- Re: \x HTTP requests Neil Dickey (Nov 09)