Incidents
\x HTTP requests Nov 09 2006 03:51PM
Maxime Ducharme (mducharme cybergeneration com) (4 replies)
Re: \x HTTP requests Nov 10 2006 03:01PM
Richard Sammet (richard sammet googlemail com)
RE: \x HTTP requests Nov 09 2006 09:56PM
Maxime Ducharme (mducharme cybergeneration com)


Found the culprit

SSL client trying to hand shake SSL on port 80

Jeff Lake, Richard Sammet and Thierry Zoller
gave me nice explanations

I have been able to reproduce these with
openssl s_client -connect y.y.y.y:80

(where y.y.y.y is our site IP)

log result :
y.y.y.z - - [09/Nov/2006:16:41:15 -0500] "\x80\x8c\x01\x03\x01" 200 14261
"-" "-"

this line shows no UA, no HTTP verb, ... only hex chars in request

running tcpdump, apache returns this string :
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>..... to /index.html not supported.<br />
</p>
</body></html>

without any HTTP header

neil : we still see a 200 response in logs but tcpdump shows
apache did not returned anything good

I'll take a deep look into Apache's config to see if we forgot any
Listen 443 (thanks Robert for pointing it out)

nick : we do not run Squirrel

thanks all for explanations

Have a nice day

Maxime Ducharme

-----Message d'origine-----
De : listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] De
la part de Maxime Ducharme
Envoyé : 9 novembre, 2006 10:51
À : incidents (at) securityfocus (dot) com [email concealed]
Objet : \x HTTP requests

Hello list

I see these HTTP request and I'm looking for more information :

...
x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-"
x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-"
x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"

Would it be someone attempting to send https request on my port 80 ?

Any clue would be appreciated

Have a nice day

Maxime Ducharme

------------------------------------------------------------------------
----
--
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of
your
security environment. Featuring 36 hands-on training courses and 10
conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
----
--

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
RE: \x HTTP requests Nov 09 2006 09:03PM
ROPERT François (Francois ROPERT supinfo com)
Re: \x HTTP requests Nov 09 2006 08:53PM
Thierry Zoller (Thierry Zoller lu)


 

Privacy Statement
Copyright 2010, SecurityFocus