---------- Forwarded message ---------- Date: Tue, 2 Jan 2001 02:50:42 +0100 (CET) From: Michal Zalewski To: Lance Spitzner Subject: Fun! Hey big boy! Something about your scan of the month - that's cool one :): ### QUESTION 1: What is the scan attempting to determine? Version of HTTP server you are running , I presume;) ### QUESTION 2: What is unique about the scan methodology? ### QUESTION 3: Can you name the scanning tool? First of all, attacker system seems to be Windows 9x, take a look at packet parameters (wss 8192, DF, sackOK, nop, init ttl 128, mss 1460). Then, what is really interesting, "HEAD /" command is send char-by-char (less or more - sometimes more characters are arriving with the packet). I believe it is MS Windows TELNET.EXE utility, which is working in char-by-char mode by default (it is pretty uncommon for other tools to be so stupid). The third important thing - instead of HTTP/1.0, we have: 12/20-14:47:49.693020 /.../ 12/20-14:47:51.430835 /.../ 20 48 54 54 08 " HTT." /...and then a bunch of Windows-alike crlfs.../ First of all, we can see pretty huge time interval between packets (2 secs). This seems to be not related to any kind of uplink problems (France <-> US) - other packets are travelling at least ten times faster (tcp handshake has rtt below 200 ms, no packets were lost during the session). Then, that funny thing at the end - backspace character (0x08)! What we are seeing - this 'scanning tool' - is, in my belief, some script kiddie or other curious person, which is using built-in Windows 9x telnet.exe to *manually* type "HEAD / HTTP/1.0". Unfortunately, this innocent dude has echo disabled in his/her telnet.exe, being not able to see if he/she did a typo (and having quite strong feeling of it, which isn't uncommon if you can't see the output) in this command. So, after hitting backspace, notnce finishing whole command, he/she strikes ENTER key at least twice, getting "Bad request" response from your IIS server (ugh). That's it. It could be really evil, clever AI-alike scanner trying to act as an innocent MS Windows user, but... well, you know ;) BONUS QUESTION: What known vulnerabilities exist on the honeypot? If you are talking about IIS - more than we can imagine ;) -- _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=