Strange incoming HTTP requests

[Andre]

Was playing with Ethereal and I'm noticing incoming HTTP requests from a couple of ADSL IP's

I'm seeing this:
SEARCH /±±±±±±±±±±±±±± (repeats for a while). This is on Port 80.

The web server is sending back a HTTP 400 bad request for each one.

Is this some kind of buffer overflow type exploit?

Anyone else getting this?

 

[antowan]

I get more than that on Ethereal. Apart from all the usernames and passwords on the network (local LAN []) going to Telkom's services I also find some strange requests from all over the world... You are refering to ADSL 165.165.xxx.xxx range IP's I presume.

It is bound to happen that through the sycling of the IP's through Telkoms userbase that some machines will try toreconnect to services on previously allocated user's machines. That is why we get this "noise" on the network...

Anybody else got more details?

Cheers
Ant

He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous

 

[TheRoDent]

I see those constantly. So constantly, I don't even log them anymore, since they're quite large sometimes.

Malforumed URL's. Probably a few poor slogs who's machines got infected, and now the zombies are scanning the IP ranges.

The more small companies get connected to ADSL, the more likely this is to happen. Many of them don't bother with antivirus software, and still blindly download and surf the net.


<center><h5><font color="red">Oo. MyWireless <s>Hacks</s> Tweaks & Tech Info.oO </font id="red"></h5><h6>Have you checked the fawking FAQ?</h6></center>

 

[Karnaugh]

those are generaly either IIS exploit attempts or someone looking for open proxys.

There is also a new virus going arround with attempts to exploit IIS servers as well as the RPC bug, so watch out for that one.

- Colin Alston
colin at alston dot za dot org

"Warning: Use with extreme caution."