(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Unusual HTTP POST traffic from 75.108.75.42

Posted April 16, 2018 by shaun

I had a server get some weird HTTP POST requests, and decided to post about it here for Google food. If you recognize the traffic pattern, please let me know.

  • Source IP 75.108.75.42, not currently reported in common OSINT abuse/netflow logs

  • Requests were made to the target server's IP, not to a hostname

  • Plain HTTP on port 80

  • 48 requests exactly 120 seconds apart (with apparent ~1 second latency)

  • Post data lengths between 356 and 440 bytes, always an even number

  • The data encoding resembles base64, with some payloads ending in = or ==, but doesn't decode to anything text-based

Here's a sample request. (I masked the target IP and added newlines to the payload.)

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 314.15.92.65
Content-Length: 432
Cache-Control: no-cache

FKZalIjJZ+8pAFxPMs/b7VpevVWWfScwVxm3XnjSLadXhdxfns/88NApvWta+neZk9Nhui3jTDqAjSvT
jfeGTkOK5BOdSmYUwc8O2Iv3EzHeWVLjW0mK1Ns+llqPz9LX1cc/2YNfqZ5G/2XVkqHAig8/915xyRuS
9UOVWIu1Wd8FZGEkNWwAk7Y4QNUkMM05RGKGe36wmqgE6auXZ6Bv9ikroJ0IqI4waiO3xU+sxkZg4hGD
b1V8CvIzH3zov0H43NjLsSugpgBEwu5HlBTU9woY1WeNJlqprJQIt6c5SX0MQQlObR/EykGSjNW47Tw7
2bORN658K60m1XJYA3oQKo4/+ML6Sav4e5hl4hthVaxc7wNhfV6nMcn5HPH4uvpzl9d7P1F/yep6nrYT
wDerBmQaceRjQTf01iwUyVLoqH2YlQ==

The target server is running Apache but there's nothing there, just an "It works!" page, and it's seen no other unusual traffic. There were a total of 48 requests, but I only noticed in time to get a tcpdump capture of the last 18.


Update, April 26 2018. The same server received another round of similar POST requests from 108.75.16.72. This time, the traffic (tcpdump capture) was immediately preceded by a single request with the verb set to "\xaf":

108.75.16.72 - - [26/Apr/2018:09:44:10 -0500] "\xaf" 400 226 - "-" "-"

POST traffic began immediately afterward, and followed the same pattern as before, one request every two minutes with a small encoded payload in each.

According to nmap and Shodan, the originating host 108.75.16.72 is running a web server on port 443 that answers with the banner "mini_httpd 1.19/bhoc 23sep2004". This signature has been spotted on Arris 5268AC U-Verse modems, which are known to have several vulnerabilities. I wonder if this traffic is part of a router/gateway CPE botnet?



Recent articles

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

▲ Back to top | Permalink to this page