You Too? "Unusual Activity with Double Base64 Encoding"
Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.
I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018.
FYI: I'm using a simple honeypot I developed in Python.
Please post a comment if you see this activity too.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
×
Diary Archives
Comments
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
BSType: 3
Content-Length: 0
Date: Tue, 05 Nov 2019 15:20:55 GMT
Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes).
Hope this helps - please post anything else that you find!
Mike
Anonymous
Nov 5th 2019
4 years ago