What is this "/smoke/" about?
I am currently seeing a lot of requests against my honeypot like the following:
---------- POST /smoke/ 1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2) Host: [server ip address] Content-Length: 72 Connection: Keep-Alive Cache-Control: no-cache #nhDMzQ1lB3v5i'K^MiUE]Fzt @ z3@
----------------------
The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part).
Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL.
Here are a couple more requests to show the variability in User-Agent and body:
POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 102
Host: [ip adresss]
POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [ip address]
~F@975t?{jB r8xfj9hP;)i2Y?[x;q!1V
l
POST /smoke/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Length: 102 Host: [server ip address] g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Mar 16th 2016
8 years ago
Anonymous
Mar 16th 2016
8 years ago
http://alfredobarron.github.io/smoke/#/getting-started
Anonymous
Mar 16th 2016
8 years ago
Anonymous
Mar 16th 2016
8 years ago
http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html
Anonymous
Mar 16th 2016
8 years ago
Anonymous
Mar 16th 2016
8 years ago