Incidents
\x HTTP requests Nov 09 2006 03:51PM
Maxime Ducharme (mducharme cybergeneration com) (4 replies)
Re: \x HTTP requests Nov 10 2006 03:01PM
Richard Sammet (richard sammet googlemail com)
oh, i missed to send the reply to the list... so here it is ;)

++++++++++++++++++++++++++++++++++++++++++

hi maxime,

yes, it seems like someone trys to connect via ssl to a none ssl port.

if you try to connect to your apaches http port with openssl s_client
(openssl s_client -host $IP_ADDR -port $PORT) you will see something
like:

127.0.0.1 - - [09/Nov/2006:19:35:31 +0100] "\x80z\x01\x03\x01" 501 279
127.0.0.1 - - [09/Nov/2006:19:38:50 +0100] "\x80\x1c\x01" 501 277
127.0.0.1 - - [09/Nov/2006:19:38:52 +0100] "\x16\x03" 501 276
127.0.0.1 - - [09/Nov/2006:19:39:02 +0100] "\x16\x03\x01" 501 277

in your logfile. this depends on the ssl version and the cipher used.

but it could also be a ssl cipher check to find weak modes/ciphers in
your configuration.

~richie

On 11/9/06, Maxime Ducharme <mducharme (at) cybergeneration (dot) com [email concealed]> wrote:
>
> Hello list
>
> I see these HTTP request and I'm looking for more information :
>
> ...
> x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-"
> x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-"
> x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-"
> x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"
>
> Would it be someone attempting to send https request on my port 80 ?
>
> Any clue would be appreciated
>
> Have a nice day
>
> Maxime Ducharme
>
>
> ------------------------------------------------------------------------
------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
> World renowned security experts reveal tomorrow's threats today. Free of
> vendor pitches, the Briefings are designed to be pragmatic regardless of your
> security environment. Featuring 36 hands-on training courses and 10 conference
> tracks, networking opportunities with over 2,500 delegates from 40+ nations.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
------
>
>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
RE: \x HTTP requests Nov 09 2006 09:56PM
Maxime Ducharme (mducharme cybergeneration com)
RE: \x HTTP requests Nov 09 2006 09:03PM
ROPERT François (Francois ROPERT supinfo com)
Re: \x HTTP requests Nov 09 2006 08:53PM
Thierry Zoller (Thierry Zoller lu)


 

Privacy Statement
Copyright 2010, SecurityFocus