Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot. I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018. FYI: I'm using a simple honeypot I developed in Python. Please post a comment if you see this activity too. Didier Stevens |
DidierStevens 649 Posts ISC Handler Nov 3rd 2019 |
Thread locked Subscribe |
Nov 3rd 2019 2 years ago |
I have noticed that these all come from ONE source IP, and the BS_Real_IP is always the same (that source IP and the SAME destination IP - 112.124.42.80 - not the server's IP that is being sent the HTTP request). Furthermore the HTTP request is a HEAD and is an absolute URL - formatted for a PROXY - for 112.124.42.80:63435. The request also includes the Proxy-Keepalive header. The URL and the Host header match, and are for the same destination as the in the BB_REAL_IP. Furthermore, that server IP address accepts requests on that TCP port in the same format. Even HEAD or GET requests for other destinations. It also replies including a custom header (although no content) - BSType:
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 BSType: 3 Content-Length: 0 Date: Tue, 05 Nov 2019 15:20:55 GMT Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes). Hope this helps - please post anything else that you find! Mike |
Anonymous |
Quote |
Nov 5th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!