-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hm. I had somebody report similar traffic to dshield.org last week.
Some new toy? But in his case, it was actually directed at a web
server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly
like that.

> Hi folks,
> Has anyone seen a request like this before ? It's either a l33t0 trick
> or some seriously broken code; since I've never seen this sequence before I
> was curious of anyone else has. This hit an sshd listening on port 80 btw,
> source IP obviously changed ;-)
>
> Cheers.
>
> Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787
> Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification
> 'http://%a:%p/,HEAD /' from 1.2.3.4
> Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281
> Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282
> Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification ''
> from
> 1.2.3.4
> Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for
> 1.2.3.4
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

- --
- -------
jullrichsans.org Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp
4Igy4aP52APKvymjz/HsuP8=
=QP4L
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]