Security Incidents mailing list archives
Re: Strange web request
From: "Gene Barlow" <btraquer () yahoo com>
Date: Tue, 12 Feb 2002 19:34:11 -0700
That brings up a good point...I wasn't thinking about that when it occurred... but the scanner was the port scanner provided by LANGuard aka GFI (http://www.gfi.com)... ----- Original Message ----- From: "zeno" <bugtraq () cgisecurity net> To: <btraquer () yahoo com> Cc: <incidents () securityfocus com> Sent: Tuesday, February 12, 2002 15:54 Subject: Re: Strange web request
I've seen this kind of request before and was able to reproduce it by
doing
a port scan on the web server...Which port scanner sends a HEAD request? Odd. - zenoGene... ----- Original Message ----- From: "zeno" <bugtraq () cgisecurity net> To: "Johannes B. Ullrich" <jullrich () sans org> Cc: "Nexus" <nexus () patrol i-way co uk>; <incidents () securityfocus com> Sent: Tuesday, February 12, 2002 11:02 Subject: Re: Strange web request-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hm. I had somebody report similar traffic to dshield.org last week. Some new toy? But in his case, it was actually directed at a web server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly like that.well HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a
webbot
thatlost its way? Did anyone running a webserver get a different error
code
other then 200 or 404? - zeno () cgisecurity comHi folks, Has anyone seen a request like this before ? It's either a
l33t0
trickor some seriously broken code; since I've never seen this sequencebefore Iwas curious of anyone else has. This hit an sshd listening on
port
80 btw,source IP obviously changed ;-) Cheers. Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port
1787
Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol versionidentification'http://%a:%p/,HEAD /' from 1.2.3.4 Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port
2281
Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port
2282
Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol versionidentification ''from 1.2.3.4 Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout beforeauthentication for1.2.3.4----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com- -- - ------- jullrich () sans org Join http://www.DShield.org Distributed Intrusion Detection System -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp 4Igy4aP52APKvymjz/HsuP8= =QP4L -----END PGP SIGNATURE---------------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange web request Nexus (Feb 12)
- Re: Strange web request Johannes B. Ullrich (Feb 12)
- <Possible follow-ups>
- Re: Strange web request zeno (Feb 12)
- Re: Strange web request Gene Barlow (Feb 13)