Security Incidents mailing list archives
Re: Which webserver exploit is this?
From: Richard Bartlett <richard () DEOR CO UK>
Date: Mon, 24 Jul 2000 19:02:27 +0100
Hi, Could this be a scan by Robin Keir's Superscan? It's available at http://members.home.com/rkeir/software.html and is a nice enough port scanner (if noisy). If you look at the Port list setup, each port has a setting called 'Probe Text', which is designed to grab banners etc. by entering port specific date like HEAD commands. The setting for port 80 is; http://%a:%p/,HEAD /\r\n\r\n which seems to match up - you're correct that %a should be the IP address and %p the port, but I can't see how they managed to enter this without the parameters being filled - perhaps it is a misused script, or some really dumb cut'n'paste error. Richard -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Michael Cook Sent: Sunday, July 23, 2000 9:42 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Which webserver exploit is this? On Sat, 22 Jul 2000, Matthew Breitenstine wrote:
his.ip.net - - [16/Jul/2000:20:21:10 -0500] "http://%a:%p/,HEAD /" 501 -
I have a similar entry appearing several days ago. It accompanied a very noisy port scan (did a full connect scan to a wide range of ports on every IP). I figured it was a misconfigured script being executed by some k1ddi3z, with the %a and %p being substitute variables, like address and port. I'm curious if anyone else knows what it is. -- Michael Cook (michael () ink org) http://www2.ink.org/~michael/ Ignorance is bliss; log to /dev/null.
Current thread:
- Which webserver exploit is this? Jaap (Jul 22)
- <Possible follow-ups>
- Re: Which webserver exploit is this? The Incubus (Jul 24)
- Re: Which webserver exploit is this? Michael Cook (Jul 24)
- Re: Which webserver exploit is this? Richard Bartlett (Jul 24)
- Re: Which webserver exploit is this? bruj0 Gandalf (Jul 25)
- Which webserver exploit is this? CLEARY Tom <Con> (Jul 25)
- Re: Which webserver exploit is this? Fredrik Ostergren (Jul 26)