[Dshield] Curious HTTP responses from evil web servers
Dr. Neal Krawetz
hf at hackerfactor.com
Sat Nov 3 15:07:08 GMT 2007
Hi Darren,
I was surprised the first time I saw this type of thing too...
They're using "chunked" transfer-encoding.
Chunked comes from HTTP/1.1 (RFC 2616).
Basically, CGI scripts could take a while to process data. Chunked
results allow feedback from the server in parts, so the browser won't
time out. (I'm sure there are other reasons for chunked data...)
Chunks contain 2 parts:
size of chunk [CR]
data
So:
6
preved
0
There are 6 bytes in this chunk, and the data is "preved".
The final "0" means "no more chunks".
Your 302 redirect example says "0" because there is no data.
-Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)
On Fri Nov 2 19:57:12 2007, Darren Spruell wrote:
>
> Can anyone clarify the meaning of the below content returned from this
> HTTP server? Specifically I'm wondering about something I more
> generally see returned in the content (not headers) of data sent back
> to an HTTP request form a client that isn't what looks like
> well-formed HTML or binary stream.
>
> ----------------------------------------------------------------------
> $ nc scanner.xmalwarealarm.com 80
> GET /3/scan.php HTTP/1.1
> Host: scanner.xmalwarealarm.com
>
> HTTP/1.1 200 OK
> Server: nginx/0.5.32
> Date: Sat, 03 Nov 2007 09:36:41 GMT
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Connection: keep-alive
>
> 6
> preved
> 0
...
More information about the list
mailing list