Security Incidents mailing list archives

RE: GET x HTTP/1.0

From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Tue, 24 Jul 2001 11:31:05 -0400

If my memory serves me right, I was seeing these entries on my apache
servers at the same time as I was seeing the sadmin worm trying to do the
unicode traversals on my IIS boxes.  I believe it's a way to judge the
server running on the machine.  

For example,

From apache:

207.239.238.36 - - [12/Jul/2001:21:29:54 -0400] "GET x HTTP/1.0" 400 333

From IIS (the time on IIS is UTC):

01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 -
01:29:55 207.239.238.36 - WEBMAIL01 GET /winnt/system32/cmd.exe 404 -
01:29:55 207.239.238.36 - WEBMAIL01 GET
/scripts/..?%pc../winnt/system32/cmd.exe 403 -
01:29:55 207.239.238.36 - WEBMAIL01 GET
/scripts/..?%9v../winnt/system32/cmd.exe 403 -
01:29:55 207.239.238.36 - WEBMAIL01 GET
/scripts/..?%qf../winnt/system32/cmd.exe 403 -
01:29:55 207.239.238.36 - WEBMAIL01 GET
/scripts/..?%8s../winnt/system32/cmd.exe 403 -

The interesting thing was that I wasn't seeing these "GET x" logged on the
IIS boxes...  

I just ran a test. 
-----------------------------------------
GET x HTTP/1.1\r\n

HTTP/1.1 400 Bad Request\r\n
Server: Microsoft-IIS/4.0\r\n
Date: Tue, 24 Jul 2001 15:27:46 GMT\r\n

But nothing is logged.  
------------------------------------------
GET /x HTTP/1.1\r\n

HTTP/1.1 404 Object Not Found\r\n
Server: Microsoft-IIS/4.0\r\n
Date: Tue, 24 Jul 2001 15:28:18 GMT\r\n

This one logs an error:
15:28:18 10.1.1.62 - WEBMAIL01 GET /x 404 -
------------------------------------------

I find that IIS logging leaves much to be desired...

HTH

-Gary-

-----Original Message-----
From: Greg Owen [mailto:gowen () swynwyr com]
Sent: Monday, July 23, 2001 9:20 PM
To: incidents () securityfocus com
Subject: GET x HTTP/1.0



    Two of these showed up in my web server logs today:

202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328
202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328

inetnum              202.100.68.0 - 202.100.68.255
netname              FEITIAN-INTERNET-COMPANY
descr                Feitian Internet Company
descr                Lanzhou,Gansu
descr                China
country              CN

inetnum              202.99.64.0 - 202.99.127.255
netname              CHINANET-TJ
descr                CHINANET Tianjin province network
descr                Data Communication Division
descr                China Telecom
country              CN

    A quick google search showed one other person wondering what it was and
commenting they mostly seemed to be china, and a bunch of server logs that
showed the same hit.

    Anybody know what this is?  The source makes me wonder.

--
        gowen -- Greg Owen -- gowen () swynwyr com
        79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

GET x HTTP/1.0 Greg Owen (Jul 23)
- Re: GET x HTTP/1.0 Phil Sorber (Jul 24)
- Re: GET x HTTP/1.0 jlewis (Jul 24)
- Re: GET x HTTP/1.0 John (Jul 24)
  - Re: GET x HTTP/1.0 Seth Milder (Jul 24)
- Re: GET x HTTP/1.0 Ross Oldbury (Jul 24)
- Re: GET x HTTP/1.0 dr john halewood (Jul 24)
- Re: GET x HTTP/1.0 Patryk Chmielewski (Jul 24)
- <Possible follow-ups>
- RE: GET x HTTP/1.0 Portnoy, Gary (Jul 24)