Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers

If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing:

t3 12.2.1

You may see a few variations of requests like that. For example "t3 12.1.1" is common as well. These requests are attempting to connect to WebLogic. WebLogic is able to accept data via HTTP (see Guy's diary from this weekend for some example) or it may use the "t3" protocol. "t3" is one way to use "RMI" (Remote Method Invocation) via WebLogic. Due to a few criticial vulnerabilities in WebLogic in recent years, some of which may be exploited via "t3", scans for "t3" are quite common.

CNXN

Android Debug Bridge (ADB) is a protocol that can be used to remotely debug Android devices. Remember that Android is not only used for phones, but also on other devices in particular TV sticks. ADB hasn't been enabled (or simply remotely usable) for many years, but the ability to exeucte arbitrary commands using this propocol is still attractive enough to lead to widespread scanning. I believe that the main target are TV sticks as they tend to be more difficult to update than phones.

SSH-2.0-Go

SSH servers are always of interest. Some users appearantly "hide" them on ports more often used by web server. I got bad news for you: The bad guys figured you out. Hiding an ssh server on an off port worked years ago, and still keeps down the "Mirai" noise a bit. But please: use ssh keys, not passwords.

USER anonymous

Yes, there are still some people using FTP. The boomer file transfer protocol? Really not sure what attackers are hoping to find other than data that has probably already been leaked many many time. They could look for ways to stash some files? But I doubt there are many FTP servers left that have anonymous FTP upload enabled and still disk space left.

\x16\x03\x01

This is actually HTTP (likely), but over TLS. If an https request hits a non-TLS server, you will see the beginning of the client hello being logged. The first four bytes are often 0x16 0x03 0x01 (0x16 - Handshake 0x03,0x01 TLS Version 1.2). The fourth byte is a 0x00, terminating the string as far as logging is concerned. You may see various variations of this.

And finally, a few I have no idea what they attempt to achive. Maybe one of our readers can help?

\x05\x04

\x80.\x01

\x01default\n

Let me know if you have any ideas... or other odd non-http logs from your web servers.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Johannes

4271 Posts
ISC Handler
Oct 11th 2021
anonymous FTP upload enabled with no ability for anonymous to see the content does limit things nicely and makes an easy way to upload large diagnostic images and packet captures to the vendor as part of a support ticket. Files with the support case number in it get routed to the case file, and others get purged automatically after a short while.
Andy Konecny

7 Posts
\x01\default is a nmap service probe

ftp://ftp.rfc-editor.org/in-notes/rfc1179.txt
Probe TCP LPDString q|\x01default\n|
jono

11 Posts

Sign Up for Free or Log In to start participating in the conversation!