Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Strange HTTP requests
From: "Christian Swartzbaugh" <feofil () gmail com>
Date: Wed, 14 Jun 2006 16:23:07 -0700

My guess is that the person requesting these is building or using a
HTTP Request library / plugin which generates random user agents. From
CPAN this is true of PoCo::Client::HTTP which they may be using or
something related.
http://search.cpan.org/~rcaputo/POE-Component-Client-HTTP-0.75/lib/POE/Component/Client/HTTP.pm

"If a UserAgent header is not present in the HTTP::Request, a random
one will be used from those specified by the Agent parameter. If none
are supplied, POE::Component::Client::HTTP will advertise itself to
the server."

feofil

On 6/14/06, Brad Causey <bradcausey () gmail com> wrote:
Are all of the user strings the same?


On 6/14/06, Shannon Johnston <sjohnston () cavionplus com> wrote:
>
It's all from one source IP, but the requests are for various files from
various websites hosted on my servers. Different domains, different
files, even different file types.
It's making about 8-10 GET requests at the same time, then does it again
almost exactly a minute later.

I can't remember seeing anything like it before.

SJ


On Wed, 2006-06-14 at 22:31 +0200, php0t wrote:
> -----Original Message-----
> From: Shannon Johnston
> Sent: Wednesday, June 14, 2006 10:17 PM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Strange HTTP requests
>
> > I'm seeing a ton of HTTP requests in the following fashion:
> >
> > GET index.html - 80 - <ip address> HTTP/1.1 fuujcbjbGbagkmkGuj7kmgnebl
> > +qekaf - - website.com 302 0 0 532 206 218
> > The random string would normally be the user-agent. I can't help but
> think this is a bot of some sort.
> > Anybody know of anything that would produce this?
>
> Are they all index.html requests? How often do you get them? From how
> many different IP's?
> It could be just a proxy or a firewall set up to change the user-agent
> to some random string, but whether they're surfers or bots you can tell
> by looking at all such lines - to me, an index.html alone doesn't tell
> me much, maybe others have seen this though and know what it is.
>
> php0t
> www.zorro.hu
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQBEkHKfjeRCqLPCFtoRAvK9AJ90xH45lNtgkt/W+CHmpg4kEBA8dACgw9hS
+tMv1fCDEZ61l7AVy6EZ1Ik=
=YGuc
-----END PGP SIGNATURE-----



_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
-Brad Causey

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault