Full Disclosure mailing list archives
GET /M83A making rounds again?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Sun, 21 Nov 2004 00:23:56 -0500
A google search for 'GET /M83A' finds lots of 'awstats' pages reporting this, as well as some discussions, but no on seems to have an answer. Is this a vulnerabilities scanning tool signature? The preamble of a p2p file sharing network? An attack against some undisclosed application? Scan your logs, see what you get. One of the latest comes from ip 193.84.40.199 (shown hitting 20 networks, 13000 times) http://www.mynetwatchman.com/ListIncidentsbyIP.asp?IP=193.84.40.199 packet payload is: IPv4: 193.84.40.199 -> xxx.xxx.xxx.xxx hlen=5 TOS=0 dlen=62 ID=37178 flags=2 offset=0 TTL=113 chksum=33442 TCP: port=30668 -> dport: 80 flags=***AP*** seq=1601629704 ack=907044503 off=5 res=0 win=65535 urp=0 chksum=65397 Payload: length = 22 000 : 47 45 54 20 2F 4D 38 33 41 20 48 54 54 50 2F 31 GET /M83A HTTP/1 010 : 2E 30 0D 0A 0D 0A .0.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- GET /M83A making rounds again? Michael Scheidell (Nov 20)