Security Incidents mailing list archives
Re: \x HTTP requests
From: "Richard Sammet" <richard.sammet () googlemail com>
Date: Fri, 10 Nov 2006 16:01:47 +0100
oh, i missed to send the reply to the list... so here it is ;) ++++++++++++++++++++++++++++++++++++++++++ hi maxime, yes, it seems like someone trys to connect via ssl to a none ssl port. if you try to connect to your apaches http port with openssl s_client (openssl s_client -host $IP_ADDR -port $PORT) you will see something like: 127.0.0.1 - - [09/Nov/2006:19:35:31 +0100] "\x80z\x01\x03\x01" 501 279 127.0.0.1 - - [09/Nov/2006:19:38:50 +0100] "\x80\x1c\x01" 501 277 127.0.0.1 - - [09/Nov/2006:19:38:52 +0100] "\x16\x03" 501 276 127.0.0.1 - - [09/Nov/2006:19:39:02 +0100] "\x16\x03\x01" 501 277 in your logfile. this depends on the ssl version and the cipher used. but it could also be a ssl cipher check to find weak modes/ciphers in your configuration. ~richie On 11/9/06, Maxime Ducharme <mducharme () cybergeneration com> wrote:
Hello list I see these HTTP request and I'm looking for more information : ... x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-" x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-" x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-" x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-" Would it be someone attempting to send https request on my port 80 ? Any clue would be appreciated Have a nice day Maxime Ducharme ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
------------------------------------------------------------------------------ This List Sponsored by: Black HatAttend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- \x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Thierry Zoller (Nov 09)
- RE: \x HTTP requests ROPERT François (Nov 09)
- RE: \x HTTP requests Maxime Ducharme (Nov 09)
- Re: \x HTTP requests Richard Sammet (Nov 13)
- <Possible follow-ups>
- Re: \x HTTP requests Neil Dickey (Nov 09)