[Dshield] Curious HTTP responses from evil web servers
Tyler Reguly
ht at computerdefense.org
Sat Nov 3 03:11:50 GMT 2007
Hey,
What you are seeing is the chunked encoding... defined by:
Transfer-Encoding: chunked
You can find a brief explanation here:
http://www.httpwatch.com/httpgallery/chunked/
As you can see there's no Content-Length defined in the header... chunked
encoding is used instead... www.google.ca uses this for example, as do many
other web sites. One primary reason is dynamic content, if you don't yet
know how much data you'll be sending. It can be used anytime though.
In your example:
HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Sat, 03 Nov 2007 09:36:41 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
6
preved
0
The 6 tells you that 6-bytes of data will be following (in this case
preved). At that point you would receive the length of the next chunk. In
this case there is no more data to follow, so 0 is returned, telling you
that the request is completed. Remember that the length is in hex, so in the
example of www.google.ca, the length is displayed as 'c3d'
If you wish to avoid chunked encoding, simply send an HTTP/1.0 request. In
that case you may get the response that you are looking for...
C:\Users\Tyler>nc scanner.xmalwarealarm.com 80
GET /3/scan.php HTTP/1.0
Host: scanner.xmalwarealarm.com
HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Sat, 03 Nov 2007 11:05:36 GMT
Content-Type: text/html; charset=utf-8
Connection: close
preved
Tyler.
On 11/2/07, Darren Spruell <phatbuckett at gmail.com> wrote:
>
> Can anyone clarify the meaning of the below content returned from this
> HTTP server? Specifically I'm wondering about something I more
> generally see returned in the content (not headers) of data sent back
> to an HTTP request form a client that isn't what looks like
> well-formed HTML or binary stream.
>
> ----------------------------------------------------------------------
> $ nc scanner.xmalwarealarm.com 80
> GET /3/scan.php HTTP/1.1
> Host: scanner.xmalwarealarm.com
>
> HTTP/1.1 200 OK
> Server: nginx/0.5.32
> Date: Sat, 03 Nov 2007 09:36:41 GMT
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Connection: keep-alive
>
> 6
> preved
> 0
>
> ----------------------------------------------------------------------
>
> (xmalwarealarm.com and virusprotectpro.com are RBN-connected malicious
> domains according to rbnexploit.blogspot.com).
>
> I see this kind of thing a lot of with confirmed or suspected
> malicious web sites in Russia and China, where usually a digit is
> preceding an opening <html> tag or trailing after the web page with
> some trailing digits or letters. Here's another:
>
> ----------------------------------------------------------------------
> $ nc www.virusprotectpro.com 80
> GET /db/db.php HTTP/1.1
> Host: www.virusprotectpro.com
>
> HTTP/1.1 302
> Server: nginx/0.3.35
> Date: Sat, 03 Nov 2007 01:50:04 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> Keep-Alive: timeout=10
> Location: /db/dbver.dat
>
> 0
>
> ----------------------------------------------------------------------
>
> What's up with the 0 here? When I first started seeing this I thought
> it might have been agent command data (0 = nothing for now) or
> similar, but now that I'm seeing it everywhere I'm curious if I'm just
> reacting to something normal or if there's more at play.
>
> --
> Darren Spruell
> phatbuckett at gmail.com
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors. http://www.sans.org/info/9346
>
More information about the list
mailing list