Unusual HTTP POST traffic from 220.127.116.11
I had a server get some weird HTTP POST requests, and decided to post about it here for Google food. If you recognize the traffic pattern, please let me know.
Source IP 18.104.22.168, not currently reported in common OSINT abuse/netflow logs
Requests were made to the target server's IP, not to a hostname
Plain HTTP on port 80
48 requests exactly 120 seconds apart (with apparent ~1 second latency)
Post data lengths between 356 and 440 bytes, always an even number
- The data encoding resembles base64, with some payloads ending in = or ==, but doesn't decode to anything text-based
Here's a sample request. (I masked the target IP and added newlines to the payload.)
POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 322.214.171.124 Content-Length: 432 Cache-Control: no-cache FKZalIjJZ+8pAFxPMs/b7VpevVWWfScwVxm3XnjSLadXhdxfns/88NApvWta+neZk9Nhui3jTDqAjSvT jfeGTkOK5BOdSmYUwc8O2Iv3EzHeWVLjW0mK1Ns+llqPz9LX1cc/2YNfqZ5G/2XVkqHAig8/915xyRuS 9UOVWIu1Wd8FZGEkNWwAk7Y4QNUkMM05RGKGe36wmqgE6auXZ6Bv9ikroJ0IqI4waiO3xU+sxkZg4hGD b1V8CvIzH3zov0H43NjLsSugpgBEwu5HlBTU9woY1WeNJlqprJQIt6c5SX0MQQlObR/EykGSjNW47Tw7 2bORN658K60m1XJYA3oQKo4/+ML6Sav4e5hl4hthVaxc7wNhfV6nMcn5HPH4uvpzl9d7P1F/yep6nrYT wDerBmQaceRjQTf01iwUyVLoqH2YlQ==
The target server is running Apache but there's nothing there, just an "It works!" page, and it's seen no other unusual traffic. There were a total of 48 requests, but I only noticed in time to get a tcpdump capture of the last 18.