Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What is this "/smoke/" about? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is this "/smoke/" about?

I am currently seeing a lot of requests against my honeypot like the following:

----------
POST /smoke/ 1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: [server ip address]
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

#nhDMzQ1lB3v5i'K^MiUE]Fzt @
z3@

----------------------

The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part).

Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL.

Here are a couple more requests to show the variability in User-Agent and body:

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 102
Host: [ip adresss]

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [ip address]


~F@975t?{jB r8xfj9hP;)i2Y?[x;q!1V
l

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [server ip address]

g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3553 Posts
ISC Handler
Mozilla Devs sometimes run smoke test on the application, simply for testing purposes. Not sure why they're sending this out to everyone, but do you happen to have Firefox or thunderbird installed?
Anonymous
Possibly an application-layer DDoS attack. Malformed request plus pragma no-cache.
Roland Dobbins

7 Posts
It might have something to do with this. Smoke is a forms validator.

http://alfredobarron.github.io/smoke/#/getting-started
KG

1 Posts
Thanks for the comments! The DDoS idea, maybe using the Mozilla Dev tool is interesting. These requests are from a honeypot. So I don't think it is "legit" testing. They also come from a large number of different IPs.
Johannes

3553 Posts
ISC Handler
Not sure it is related or not, but found this on a website that talks about "smoke".

http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html
Johannes
1 Posts
https://github.com/xebialabs-community/xld-smoke-test-plugin
Johannes
1 Posts

Sign Up for Free or Log In to start participating in the conversation!