You Too? "Unusual Activity with Double Base64 Encoding"

Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.

I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018.

FYI: I'm using a simple honeypot I developed in Python.

Please post a comment if you see this activity too.

Didier Stevens
Senior handler
Microsoft MVP


677 Posts
ISC Handler
Nov 3rd 2019
I have noticed that these all come from ONE source IP, and the BS_Real_IP is always the same (that source IP and the SAME destination IP - - not the server's IP that is being sent the HTTP request). Furthermore the HTTP request is a HEAD and is an absolute URL - formatted for a PROXY - for The request also includes the Proxy-Keepalive header. The URL and the Host header match, and are for the same destination as the in the BB_REAL_IP. Furthermore, that server IP address accepts requests on that TCP port in the same format. Even HEAD or GET requests for other destinations. It also replies including a custom header (although no content) - BSType:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
BSType: 3
Content-Length: 0
Date: Tue, 05 Nov 2019 15:20:55 GMT

Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes).

Hope this helps - please post anything else that you find!


Sign Up for Free or Log In to start participating in the conversation!