$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Unusual HTTP POST traffic from 75.108.75.42

Posted April 16, 2018 by shaun

I had a server get some weird HTTP POST requests, and decided to post about it here for Google food. If you recognize the traffic pattern, please let me know.

  • Source IP 75.108.75.42, not currently reported in common OSINT abuse/netflow logs

  • Requests were made to the target server's IP, not to a hostname

  • Plain HTTP on port 80

  • 48 requests exactly 120 seconds apart (with apparent ~1 second latency)

  • Post data lengths between 356 and 440 bytes, always an even number

  • The data encoding resembles base64, with some payloads ending in = or ==, but doesn't decode to anything text-based

Here's a sample request. (I masked the target IP and added newlines to the payload.)

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 314.15.92.65
Content-Length: 432
Cache-Control: no-cache

FKZalIjJZ+8pAFxPMs/b7VpevVWWfScwVxm3XnjSLadXhdxfns/88NApvWta+neZk9Nhui3jTDqAjSvT
jfeGTkOK5BOdSmYUwc8O2Iv3EzHeWVLjW0mK1Ns+llqPz9LX1cc/2YNfqZ5G/2XVkqHAig8/915xyRuS
9UOVWIu1Wd8FZGEkNWwAk7Y4QNUkMM05RGKGe36wmqgE6auXZ6Bv9ikroJ0IqI4waiO3xU+sxkZg4hGD
b1V8CvIzH3zov0H43NjLsSugpgBEwu5HlBTU9woY1WeNJlqprJQIt6c5SX0MQQlObR/EykGSjNW47Tw7
2bORN658K60m1XJYA3oQKo4/+ML6Sav4e5hl4hthVaxc7wNhfV6nMcn5HPH4uvpzl9d7P1F/yep6nrYT
wDerBmQaceRjQTf01iwUyVLoqH2YlQ==

The target server is running Apache but there's nothing there, just an "It works!" page, and it's seen no other unusual traffic. There were a total of 48 requests, but I only noticed in time to get a tcpdump capture of the last 18.



Recent articles

📰 Unusual HTTP POST traffic from 75.108.75.42

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

📰 Firefox's privacy.resistFingerprinting option reports a very old User-Agent (50.0)

▲ Back to top | Permalink to this page