[Dshield] Strange http gets

Johannes B. Ullrich jullrich at sans.org
Mon Feb 13 12:36:45 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


I would guess that you are dealing with some kind of anonymizing proxy.
In particular due to the fact that HTTP/1.0 is used (not 1.1). Also, the
'Accept' line is very limited. Could also be a bad behaved spider script.


Jeff Kell wrote:
> This ring a bell for anyone?:
> 
>> GET http://www.utc.edu/[removed]/[removed]/about.htm HTTP/1.0
>> Accept: text/html, text/plain
>> Accept-Encoding: text/html, text/plain
>> Accept-Language: en
>> User-Agent: mpbjvtaqSafowhyinwbufvmyt
>> Host: www.utc.edu
>>   
> Note the weird User-Agent.  I've seen random strings appearing here.  I
> can't guess what they're up to... if they had a Referrer: tag I'd
> suspect link spamming, but there is no referrer.  I don't have access to
> the server access logs at the moment to see what else came from the same
> source, but thought I'd ask in advance if someone has seen this
> behavior.  Are these some little crude crawlers trying to harvest email
> addresses?  Or some other nefarious purpose I haven't thought of?
> 
> Jeff
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


- --
- ---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD8H1dPNuXYcm/v/0RA0O5AJ0U2618oI0O1JPbAa7w6IEEKfjWDACfZYhZ
lfpQoC7nvNO7qPuu5cUF8wg=
=7LMZ
-----END PGP SIGNATURE-----


More information about the list mailing list