$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Unusual HTTP POST traffic from

Posted April 16, 2018 by shaun

I had a server get some weird HTTP POST requests, and decided to post about it here for Google food. If you recognize the traffic pattern, please let me know.

  • Source IP, not currently reported in common OSINT abuse/netflow logs

  • Requests were made to the target server's IP, not to a hostname

  • Plain HTTP on port 80

  • 48 requests exactly 120 seconds apart (with apparent ~1 second latency)

  • Post data lengths between 356 and 440 bytes, always an even number

  • The data encoding resembles base64, with some payloads ending in = or ==, but doesn't decode to anything text-based

Here's a sample request. (I masked the target IP and added newlines to the payload.)

Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 314.15.92.65
Content-Length: 432
Cache-Control: no-cache


The target server is running Apache but there's nothing there, just an "It works!" page, and it's seen no other unusual traffic. There were a total of 48 requests, but I only noticed in time to get a tcpdump capture of the last 18.

Recent articles

📰 Unusual HTTP POST traffic from

📰 Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

📰 Firefox's privacy.resistFingerprinting option reports a very old User-Agent (50.0)

▲ Back to top | Permalink to this page