Full Disclosure mailing list archives

GET /M83A making rounds again?

From: "Michael Scheidell" <scheidell () secnap net>
Date: Sun, 21 Nov 2004 00:23:56 -0500

A google search for 'GET /M83A' finds lots of 'awstats' pages reporting
this, as well as some discussions, but no on seems to have an answer.

Is this a vulnerabilities scanning tool signature?
The preamble of a p2p file sharing network?

An attack against some undisclosed application?
Scan your logs, see what you get.

One of the latest comes from ip 193.84.40.199
(shown hitting 20 networks, 13000 times)

http://www.mynetwatchman.com/ListIncidentsbyIP.asp?IP=193.84.40.199

packet payload is:

IPv4: 193.84.40.199 -> xxx.xxx.xxx.xxx
      hlen=5 TOS=0 dlen=62 ID=37178 flags=2 offset=0 TTL=113
chksum=33442
TCP:  port=30668 -> dport: 80  flags=***AP*** seq=1601629704
      ack=907044503 off=5 res=0 win=65535 urp=0 chksum=65397
Payload:  length = 22

000 : 47 45 54 20 2F 4D 38 33 41 20 48 54 54 50 2F 31   GET /M83A HTTP/1
010 : 2E 30 0D 0A 0D 0A                                 .0....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

GET /M83A making rounds again? Michael Scheidell (Nov 20)