[Dshield] Strange http gets

Johannes B. Ullrich jullrich at sans.org
Mon Feb 13 12:36:45 GMT 2006

Hash: RIPEMD160

I would guess that you are dealing with some kind of anonymizing proxy.
In particular due to the fact that HTTP/1.0 is used (not 1.1). Also, the
'Accept' line is very limited. Could also be a bad behaved spider script.

Jeff Kell wrote:
> This ring a bell for anyone?:
>> GET http://www.utc.edu/[removed]/[removed]/about.htm HTTP/1.0
>> Accept: text/html, text/plain
>> Accept-Encoding: text/html, text/plain
>> Accept-Language: en
>> User-Agent: mpbjvtaqSafowhyinwbufvmyt
>> Host: www.utc.edu
> Note the weird User-Agent.  I've seen random strings appearing here.  I
> can't guess what they're up to... if they had a Referrer: tag I'd
> suspect link spamming, but there is no referrer.  I don't have access to
> the server access logs at the moment to see what else came from the same
> source, but thought I'd ask in advance if someone has seen this
> behavior.  Are these some little crude crawlers trying to harvest email
> addresses?  Or some other nefarious purpose I haven't thought of?
> Jeff
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

- --
- ---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list