lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Jun 14 21:54:54 2006
From: bradcausey at gmail.com (Brad Causey)
Subject: Strange HTTP requests

Are all of the user strings the same?

On 6/14/06, Shannon Johnston <sjohnston@...ionplus.com> wrote:
>
> It's all from one source IP, but the requests are for various files from
> various websites hosted on my servers. Different domains, different
> files, even different file types.
> It's making about 8-10 GET requests at the same time, then does it again
> almost exactly a minute later.
>
> I can't remember seeing anything like it before.
>
> SJ
>
>
> On Wed, 2006-06-14 at 22:31 +0200, php0t wrote:
> > -----Original Message-----
> > From: Shannon Johnston
> > Sent: Wednesday, June 14, 2006 10:17 PM
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: [Full-disclosure] Strange HTTP requests
> >
> > > I'm seeing a ton of HTTP requests in the following fashion:
> > >
> > > GET index.html - 80 - <ip address> HTTP/1.1 fuujcbjbGbagkmkGuj7kmgnebl
> > > +qekaf - - website.com 302 0 0 532 206 218
> > > The random string would normally be the user-agent. I can't help but
> > think this is a bot of some sort.
> > > Anybody know of anything that would produce this?
> >
> > Are they all index.html requests? How often do you get them? From how
> > many different IP's?
> > It could be just a proxy or a firewall set up to change the user-agent
> > to some random string, but whether they're surfers or bots you can tell
> > by looking at all such lines - to me, an index.html alone doesn't tell
> > me much, maybe others have seen this though and know what it is.
> >
> > php0t
> > www.zorro.hu
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQBEkHKfjeRCqLPCFtoRAvK9AJ90xH45lNtgkt/W+CHmpg4kEBA8dACgw9hS
> +tMv1fCDEZ61l7AVy6EZ1Ik=
> =YGuc
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


-- 
-Brad Causey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060614/6754288f/attachment.html

Powered by blists - more mailing lists