mailing list archives
GET /M83A making rounds again?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Sun, 21 Nov 2004 00:23:56 -0500
A google search for 'GET /M83A' finds lots of 'awstats' pages reporting
this, as well as some discussions, but no on seems to have an answer.
Is this a vulnerabilities scanning tool signature?
The preamble of a p2p file sharing network?
An attack against some undisclosed application?
Scan your logs, see what you get.
One of the latest comes from ip 126.96.36.199
(shown hitting 20 networks, 13000 times)
packet payload is:
IPv4: 188.8.131.52 -> xxx.xxx.xxx.xxx
hlen=5 TOS=0 dlen=62 ID=37178 flags=2 offset=0 TTL=113
TCP: port=30668 -> dport: 80 flags=***AP*** seq=1601629704
ack=907044503 off=5 res=0 win=65535 urp=0 chksum=65397
Payload: length = 22
000 : 47 45 54 20 2F 4D 38 33 41 20 48 54 54 50 2F 31 GET /M83A HTTP/1
010 : 2E 30 0D 0A 0D 0A .0....
Full-Disclosure - We believe in it.
- GET /M83A making rounds again? Michael Scheidell (Nov 21)