Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Suspicious GET Request: Do You Know What This Is?

Published: 2019-01-21
Last Updated: 2019-01-21 20:10:01 UTC
by Didier Stevens (Version: 1)
4 comment(s)

Reader Vinnie noticed following suspicious GET request directed at his web server:

My first idea was an attempt to abuse his web server as a proxy, or log SPAM.

Vinnie executed this request (hxxp://189[.]40[.]40[.]159:7771/u9licfgnx56ryp0jfdmis6s3hez4wij), and got text back:

171886eb9748eb13fc7548e018bf5b70jA0ECQMCkTJtXpMYj4b00ukBAU2wE+cAc+fGlL16GWLH6RAVc2yShs37UlBBj2cDX3s7FLGSshr...

I was able to make some sense of this: the first 32 characters are hexadecimal digits, and the rest is BASE64. That BASE64 string decodes to binary data that starts with the magic header for "GPG symmetrically encrypted data (AES256 cipher)": "8C 0D 04 09 03 02".

The data has a high entropy:

That's as far as I got.

We don't know if the server replying with this data is under the control of the attacker, or not. It could be an "innocent bystander".

Do you have any idea what this might be about, or what the data is? Please post a comment!

We're not asking to interact with this server, there's no need. We want to know if you have ideas about the request type or returned data. Should you still decide to interact with this server, be careful. We don't recommend it, we don't know what this server is or does. Don't do anything that might be considered hostile and don't do anything illegal.

If you want a second example of data, take a look at Shodan's report: https://www.shodan.io/host/189.40.40.159

Please post a comment, thanks!

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: GET HTTP Suspicious
4 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Sextortion Bitcoin on the Move
Jan 18th 2019
2 days ago by John (2 comments)

Emotet infections and follow-up malware
Jan 16th 2019
5 days ago by Brad (2 comments)

Microsoft Publishes Patches for Skype for Business and Team Foundation Server
Jan 15th 2019
5 days ago by John (0 comments)

Microsoft LAPS - Blue Team / Red Team
Jan 14th 2019
1 week ago by Rob VandenBrink (3 comments)

Still Running Windows 7? Time to think about that upgrade project!
Jan 14th 2019
1 week ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

sextortion Mail
created Jan 10th 2019
1 week ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
2 weeks ago by Anonymous (0 replies)

Security industry and Root Cause Analysis
created Dec 28th 2018
3 weeks ago by Anonymous (0 replies)

Disposable e-mail address service sneakemail.com status?
created Dec 26th 2018
3 weeks ago by Anonymous (0 replies)

PDF vs. DOCX in phishing mails
created Dec 14th 2018
1 month ago by sciurium (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)