[Dshield] Curious HTTP responses from evil web servers

[Darren Spruell]

Can anyone clarify the meaning of the below content returned from this
HTTP server? Specifically I'm wondering about something I more
generally see returned in the content (not headers) of data sent back
to an HTTP request form a client that isn't what looks like
well-formed HTML or binary stream.

----------------------------------------------------------------------
$ nc scanner.xmalwarealarm.com 80
GET /3/scan.php HTTP/1.1
Host: scanner.xmalwarealarm.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Sat, 03 Nov 2007 09:36:41 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive

6
preved
0

----------------------------------------------------------------------

(xmalwarealarm.com and virusprotectpro.com are RBN-connected malicious
domains according to rbnexploit.blogspot.com).

I see this kind of thing a lot of with confirmed or suspected
malicious web sites in Russia and China, where usually a digit is
preceding an opening <html> tag or trailing after the web page with
some trailing digits or letters. Here's another:

----------------------------------------------------------------------
$ nc www.virusprotectpro.com 80
GET /db/db.php HTTP/1.1
Host: www.virusprotectpro.com

HTTP/1.1 302
Server: nginx/0.3.35
Date: Sat, 03 Nov 2007 01:50:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=10
Location: /db/dbver.dat

0

----------------------------------------------------------------------

What's up with the 0 here? When I first started seeing this I thought
it might have been agent command data (0 = nothing for now) or
similar, but now that I'm seeing it everywhere I'm curious if I'm just
reacting to something normal or if there's more at play.

-- 
Darren Spruell
phatbuckett at gmail.com