OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: zeno (bugtraqcgisecurity.net)
Date: Tue Feb 12 2002 - 12:02:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > Hm. I had somebody report similar traffic to dshield.org last week.
    > Some new toy? But in his case, it was actually directed at a web
    > server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly
    > like that.

    well

    HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a webbot that
    lost its way? Did anyone running a webserver get a different error code
    other then 200 or 404?

    - zenocgisecurity.com

    >
    >
    >
    > > Hi folks,
    > > Has anyone seen a request like this before ? It's either a l33t0 trick
    > > or some seriously broken code; since I've never seen this sequence before I
    > > was curious of anyone else has. This hit an sshd listening on port 80 btw,
    > > source IP obviously changed ;-)
    > >
    > > Cheers.
    > >
    > > Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port 1787
    > > Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol version identification
    > > 'http://%a:%p/,HEAD /' from 1.2.3.4
    > > Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port 2281
    > > Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port 2282
    > > Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol version identification ''
    > > from
    > > 1.2.3.4
    > > Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before authentication for
    > > 1.2.3.4
    > >
    > >
    > >
    > > ----------------------------------------------------------------------------
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    > >
    >
    > - --
    > - -------
    > jullrichsans.org Join http://www.DShield.org
    > Distributed Intrusion Detection System
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.0.6 (GNU/Linux)
    > Comment: For info see http://www.gnupg.org
    >
    > iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp
    > 4Igy4aP52APKvymjz/HsuP8=
    > =QP4L
    > -----END PGP SIGNATURE-----
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com