You Too? "Unusual Activity with Double Base64 Encoding"

Published: 2019-11-03
Last Updated: 2019-11-03 22:09:21 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.

I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018.

FYI: I'm using a simple honeypot I developed in Python.

Please post a comment if you see this activity too.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: honeypot scanning
1 comment(s)

Comments

I have noticed that these all come from ONE source IP, and the BS_Real_IP is always the same (that source IP and the SAME destination IP - 112.124.42.80 - not the server's IP that is being sent the HTTP request). Furthermore the HTTP request is a HEAD and is an absolute URL - formatted for a PROXY - for 112.124.42.80:63435. The request also includes the Proxy-Keepalive header. The URL and the Host header match, and are for the same destination as the in the BB_REAL_IP. Furthermore, that server IP address accepts requests on that TCP port in the same format. Even HEAD or GET requests for other destinations. It also replies including a custom header (although no content) - BSType:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
BSType: 3
Content-Length: 0
Date: Tue, 05 Nov 2019 15:20:55 GMT


Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes).

Hope this helps - please post anything else that you find!

Mike

Diary Archives