Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers
Last Updated: 2021-10-11 12:44:42 UTC
by Johannes Ullrich (Version: 1)
If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing:
You may see a few variations of requests like that. For example "t3 12.1.1" is common as well. These requests are attempting to connect to WebLogic. WebLogic is able to accept data via HTTP (see Guy's diary from this weekend for some example) or it may use the "t3" protocol. "t3" is one way to use "RMI" (Remote Method Invocation) via WebLogic. Due to a few criticial vulnerabilities in WebLogic in recent years, some of which may be exploited via "t3", scans for "t3" are quite common.
Android Debug Bridge (ADB) is a protocol that can be used to remotely debug Android devices. Remember that Android is not only used for phones, but also on other devices in particular TV sticks. ADB hasn't been enabled (or simply remotely usable) for many years, but the ability to exeucte arbitrary commands using this propocol is still attractive enough to lead to widespread scanning. I believe that the main target are TV sticks as they tend to be more difficult to update than phones.
SSH servers are always of interest. Some users appearantly "hide" them on ports more often used by web server. I got bad news for you: The bad guys figured you out. Hiding an ssh server on an off port worked years ago, and still keeps down the "Mirai" noise a bit. But please: use ssh keys, not passwords.
Yes, there are still some people using FTP. The boomer file transfer protocol? Really not sure what attackers are hoping to find other than data that has probably already been leaked many many time. They could look for ways to stash some files? But I doubt there are many FTP servers left that have anonymous FTP upload enabled and still disk space left.
This is actually HTTP (likely), but over TLS. If an https request hits a non-TLS server, you will see the beginning of the client hello being logged. The first four bytes are often 0x16 0x03 0x01 (0x16 - Handshake 0x03,0x01 TLS Version 1.2). The fourth byte is a 0x00, terminating the string as far as logging is concerned. You may see various variations of this.
And finally, a few I have no idea what they attempt to achive. Maybe one of our readers can help?
Let me know if you have any ideas... or other odd non-http logs from your web servers.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Oct 11th 2021
1 year ago
Probe TCP LPDString q|\x01default\n|
Oct 12th 2021
1 year ago