lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu Jun 15 00:23:17 2006
From: feofil at gmail.com (Christian Swartzbaugh)
Subject: Strange HTTP requests

My guess is that the person requesting these is building or using a
HTTP Request library / plugin which generates random user agents. From
CPAN this is true of PoCo::Client::HTTP which they may be using or
something related.
http://search.cpan.org/~rcaputo/POE-Component-Client-HTTP-0.75/lib/POE/Component/Client/HTTP.pm

"If a UserAgent header is not present in the HTTP::Request, a random
one will be used from those specified by the Agent parameter. If none
are supplied, POE::Component::Client::HTTP will advertise itself to
the server."

feofil

On 6/14/06, Brad Causey <bradcausey@...il.com> wrote:
> Are all of the user strings the same?
>
>
> On 6/14/06, Shannon Johnston <sjohnston@...ionplus.com> wrote:
> >
> It's all from one source IP, but the requests are for various files from
> various websites hosted on my servers. Different domains, different
> files, even different file types.
> It's making about 8-10 GET requests at the same time, then does it again
> almost exactly a minute later.
>
> I can't remember seeing anything like it before.
>
> SJ
>
>
> On Wed, 2006-06-14 at 22:31 +0200, php0t wrote:
> > -----Original Message-----
> > From: Shannon Johnston
> > Sent: Wednesday, June 14, 2006 10:17 PM
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: [Full-disclosure] Strange HTTP requests
> >
> > > I'm seeing a ton of HTTP requests in the following fashion:
> > >
> > > GET index.html - 80 - <ip address> HTTP/1.1 fuujcbjbGbagkmkGuj7kmgnebl
> > > +qekaf - - website.com 302 0 0 532 206 218
> > > The random string would normally be the user-agent. I can't help but
> > think this is a bot of some sort.
> > > Anybody know of anything that would produce this?
> >
> > Are they all index.html requests? How often do you get them? From how
> > many different IP's?
> > It could be just a proxy or a firewall set up to change the user-agent
> > to some random string, but whether they're surfers or bots you can tell
> > by looking at all such lines - to me, an index.html alone doesn't tell
> > me much, maybe others have seen this though and know what it is.
> >
> > php0t
> > www.zorro.hu
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQBEkHKfjeRCqLPCFtoRAvK9AJ90xH45lNtgkt/W+CHmpg4kEBA8dACgw9hS
> +tMv1fCDEZ61l7AVy6EZ1Ik=
> =YGuc
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> --
> -Brad Causey
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Powered by blists - more mailing lists