Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-03-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What is this "/smoke/" about?

Published: 2016-03-16
Last Updated: 2016-03-16 04:26:30 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I am currently seeing a lot of requests against my honeypot like the following:

----------
POST /smoke/ 1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: [server ip address]
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

#nhDMzQ1lB3v5i'K^MiUE]Fzt @
z3@

----------------------

The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part).

Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL.

Here are a couple more requests to show the variability in User-Agent and body:

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 102
Host: [ip adresss]

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [ip address]


~F@975t?{jB r8xfj9hP;)i2Y?[x;q!1V
l

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [server ip address]

g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
6 comment(s)
Diary Archives