Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: \x HTTP requests

Re: \x HTTP requests

From: Richard Sammet <richard.sammet_at_googlemail.com>
Date: Fri, 10 Nov 2006 16:01:47 +0100

oh, i missed to send the reply to the list... so here it is ;)

++++++++++++++++++++++++++++++++++++++++++

hi maxime,

yes, it seems like someone trys to connect via ssl to a none ssl port.

if you try to connect to your apaches http port with openssl s_client
(openssl s_client -host $IP_ADDR -port $PORT) you will see something
like:

127.0.0.1 - - [09/Nov/2006:19:35:31 +0100] "\x80z\x01\x03\x01" 501 279
127.0.0.1 - - [09/Nov/2006:19:38:50 +0100] "\x80\x1c\x01" 501 277
127.0.0.1 - - [09/Nov/2006:19:38:52 +0100] "\x16\x03" 501 276
127.0.0.1 - - [09/Nov/2006:19:39:02 +0100] "\x16\x03\x01" 501 277

in your logfile. this depends on the ssl version and the cipher used.

but it could also be a ssl cipher check to find weak modes/ciphers in
your configuration.

~richie

On 11/9/06, Maxime Ducharme <mducharme_at_cybergeneration.com> wrote:
>
> Hello list
>
> I see these HTTP request and I'm looking for more information :
>
> ...
> x.x.x.1 - - [06/Nov/2006:17:33:23 -0500] "\x16\x03" 200 8 "-" "-"
> x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03\x01" 200 8 "-" "-"
> x.x.x.2 - - [07/Nov/2006:16:26:21 -0500] "\x80m\x01\x03" 200 8 "-" "-"
> x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"
>
> Would it be someone attempting to send https request on my port 80 ?
>
> Any clue would be appreciated
>
> Have a nice day
>
> Maxime Ducharme
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
> World renowned security experts reveal tomorrow's threats today. Free of
> vendor pitches, the Briefings are designed to be pragmatic regardless of your
> security environment. Featuring 36 hands-on training courses and 10 conference
> tracks, networking opportunities with over 2,500 delegates from 40+ nations.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------
Received on Nov 13 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]