OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gene Barlow (btraqueryahoo.com)
Date: Tue Feb 12 2002 - 20:34:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    That brings up a good point...I wasn't thinking about that when it
    occurred... but the scanner was the port scanner provided by LANGuard aka
    GFI (http://www.gfi.com)...

    ----- Original Message -----
    From: "zeno" <bugtraqcgisecurity.net>
    To: <btraqueryahoo.com>
    Cc: <incidentssecurityfocus.com>
    Sent: Tuesday, February 12, 2002 15:54
    Subject: Re: Strange web request

    > >
    > > I've seen this kind of request before and was able to reproduce it by
    doing
    > > a port scan on the web server...
    >
    > Which port scanner sends a HEAD request? Odd.
    >
    > - zeno
    >
    >
    > >
    > > Gene...
    > >
    > >
    > > ----- Original Message -----
    > > From: "zeno" <bugtraqcgisecurity.net>
    > > To: "Johannes B. Ullrich" <jullrichsans.org>
    > > Cc: "Nexus" <nexuspatrol.i-way.co.uk>; <incidentssecurityfocus.com>
    > > Sent: Tuesday, February 12, 2002 11:02
    > > Subject: Re: Strange web request
    > >
    > >
    > > > >
    > > > > -----BEGIN PGP SIGNED MESSAGE-----
    > > > > Hash: SHA1
    > > > >
    > > > >
    > > > > Hm. I had somebody report similar traffic to dshield.org last week.
    > > > > Some new toy? But in his case, it was actually directed at a web
    > > > > server. Otherwise, the request was 'http://%s.%b/,HEAD'... exactly
    > > > > like that.
    > > >
    > > > well
    > > >
    > > > HEAD / HTTP/1.0 will grab the server version obviously. Perhaps a
    webbot
    > > that
    > > > lost its way? Did anyone running a webserver get a different error
    code
    > > > other then 200 or 404?
    > > >
    > > >
    > > > - zenocgisecurity.com
    > > >
    > > >
    > > > >
    > > > >
    > > > >
    > > > > > Hi folks,
    > > > > > Has anyone seen a request like this before ? It's either a
    l33t0
    > > trick
    > > > > > or some seriously broken code; since I've never seen this sequence
    > > before I
    > > > > > was curious of anyone else has. This hit an sshd listening on
    port
    > > 80 btw,
    > > > > > source IP obviously changed ;-)
    > > > > >
    > > > > > Cheers.
    > > > > >
    > > > > > Feb 8 06:41:55 wulfgar sshd[7582]: Connection from 1.2.3.4 port
    1787
    > > > > > Feb 8 06:41:55 wulfgar sshd[7582]: Bad protocol version
    > > identification
    > > > > > 'http://%a:%p/,HEAD /' from 1.2.3.4
    > > > > > Feb 8 06:45:36 wulfgar sshd[7583]: Connection from 1.2.3.4 port
    2281
    > > > > > Feb 8 06:45:36 wulfgar sshd[7584]: Connection from 1.2.3.4 port
    2282
    > > > > > Feb 8 06:45:51 wulfgar sshd[7584]: Bad protocol version
    > > identification ''
    > > > > > from
    > > > > > 1.2.3.4
    > > > > > Feb 8 06:55:41 wulfgar sshd[7583]: fatal: Timeout before
    > > authentication for
    > > > > > 1.2.3.4
    > > > > >
    > > > > >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > --
    > > > > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > > > > For more information on this free incident handling, management
    > > > > > and tracking system please see: http://aris.securityfocus.com
    > > > > >
    > > > > >
    > > > >
    > > > > - --
    > > > > - -------
    > > > > jullrichsans.org Join http://www.DShield.org
    > > > > Distributed Intrusion Detection System
    > > > >
    > > > > -----BEGIN PGP SIGNATURE-----
    > > > > Version: GnuPG v1.0.6 (GNU/Linux)
    > > > > Comment: For info see http://www.gnupg.org
    > > > >
    > > > > iD8DBQE8aVpBwWQP+4im9DYRAiPvAKC1E9ZIn44cfcKnbRnXGC1qkCj7YACfX5Bp
    > > > > 4Igy4aP52APKvymjz/HsuP8=
    > > > > =QP4L
    > > > > -----END PGP SIGNATURE-----
    > > > >
    > > > >
    > > >
    > >
    > --------------------------------------------------------------------------
    > > --
    > > > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > > > For more information on this free incident handling, management
    > > > > and tracking system please see: http://aris.securityfocus.com
    > > > >
    > > > >
    > > >
    > > >
    > >
    > --------------------------------------------------------------------------
    > > --
    > > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > > For more information on this free incident handling, management
    > > > and tracking system please see: http://aris.securityfocus.com
    > >
    > >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com