Odd POST Request To Web Honeypot
I just saw this odd POST request to our honeypot's index page. Has anybody seen something like this? No idea what they are trying to accomplish.
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; EIE10;ENUSMSN)\r\n
Host: [IP Address of Honeypot]
Content-Length: 364
Cache-Control: no-cache
I2pA3cU8VSiuw2nCOwlrKN+K8jeDYiuG9stiEykFE1QDf9qZ+7DWSqt4nzWXnsjB1yXtBq8Ln7nj2FExhjmxJcRTYLCuDyBnRP8cpqOAlJrM68lEatjAS4O2bpQVbtVHAyfttd9LcsaDvkYDD9UaOVcnCnDZJxq0t4M5i9WaJusrSBNJri9br9CFjEM7IrLxS1ZUS4lR6ukW1yRvMMe1seSujBbfBqrZbijFHaH4eK5TcH6AJGkikgaiVLi6uABwhnX+VL9Nzfss+RRzC4n1hX6zHKn4+XfoCIHs3hFbgUOjqQx2vPvOek3+y2fAbsndiqz8SCzMJSzW0QxBW6Jju8aNr+n9+elCQ60vRM/SRIbl
The payload looks Base64 encoded, but decoding doesn't help much either. The payload also looks like the "+" (which would be a space if URL encoded) marks a deliminator.
<u(..i.;.k( 0000010:="" df8a="" f237="" 8362="" 2b86="" f6cb="" 6213="" 2905="" 1354="" ...7.b+...b.)..t="" 0000020:="" 037f="" da99="" fbb0="" d64a="" ab78="" 9f35="" 979e="" c8c1="" .......j.x.5....="" 0000030:="" d725="" ed06="" af0b="" 9fb9="" e3d8="" 5131="" 8639="" b125="" .%........q1.9.%="" 0000040:="" c453="" 60b0="" ae0f="" 2067="" 44ff="" 1ca6="" a380="" 949a="" .s`...="" gd.......="" 0000050:="" cceb="" c944="" 6ad8="" c04b="" 83b6="" 6e94="" 156e="" d547="" ...dj..k..n..n.g="" 0000060:="" 0327="" edb5="" df4b="" 72c6="" 83be="" 4603="" 0fd5="" 1a39="" .'...kr...f....9="" 0000070:="" 5727="" 0a70="" d927="" 1ab4="" b783="" 398b="" d59a="" 26eb="" w'.p.'....9...&.="" 0000080:="" 2b48="" 1349="" ae2f="" 5baf="" d085="" 8c43="" 3b22="" b2f1="" +h.i.="" [....c;"..="" 0000090:="" 4b56="" 544b="" 8951="" eae9="" 16d7="" 246f="" 30c7="" b5b1="" kvtk.q....$o0...="" 00000a0:="" e4ae="" 8c16="" df06="" aad9="" 6e28="" c51d="" a1f8="" 78ae="" ........n(....x.="" 00000b0:="" 5370="" 7e80="" 2469="" 2292="" 06a2="" 54b8="" bab8="" 0070="" sp~.$i"...t....p="" 00000c0:="" 8675="" fe54="" bf4d="" cdfb="" 2cf9="" 1473="" 0b89="" f585="" .u.t.m..,..s....="" 00000d0:="" 7eb3="" 1ca9="" f8f9="" 77e8="" 0881="" ecde="" 115b="" 8143="" ~.....w......[.c="" 00000e0:="" a3a9="" 0c76="" bcfb="" ce7a="" 4dfe="" cb67="" c06e="" c9dd="" ...v...zm..g.n..="" 00000f0:="" 8aac="" fc48="" 2ccc="" 252c="" d6d1="" 0c41="" 5ba2="" 63bb="" ...h,.%,...a[.c.="" 0000100:="" c68d="" afe9="" fdf9="" e942="" 43ad="" 2f44="" cfd2="" 4486="" .......bc.="" d..d.="" 0000110:="" e5=""
Any ideas?
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Apr 14th 2015
9 years ago
http://coolfire.insomnia247.nl/sans.html
It seems to be some odd hexdumped binary format but as best I can tell, part of the first line is missing.
Anonymous
Apr 14th 2015
9 years ago
Anonymous
Apr 14th 2015
9 years ago
Anonymous
Apr 14th 2015
9 years ago
Anonymous
Apr 14th 2015
9 years ago
Anonymous
Apr 14th 2015
9 years ago
Anonymous
Apr 14th 2015
9 years ago
PS C:\Users\jon> [system.text.encoding]::unicode.GetString([convert]::FromBase64String($a)) | Format-Hex
0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 23 6A FD FF C5 3C 55 28 AE C3 69 C2 3B 09 6B 28 #jý.Å<U(®ÃiÂ;.k(
00000010 DF 8A F2 37 83 62 2B 86 F6 CB 62 13 29 05 13 54 ß?ò7?b+?öËb.)..T
00000020 03 7F DA 99 FB B0 D6 4A AB 78 9F 35 97 9E C8 C1 .Ú?û°ÖJ«x?5??ÈÁ
00000030 D7 25 ED 06 AF 0B 9F B9 FD FF 51 31 86 39 B1 25 ×%í.¯.?¹ý.Q1?9±%
00000040 C4 53 60 B0 AE 0F 20 67 44 FF 1C A6 A3 80 94 9A ÄS`°®. gD..¦£???
00000050 CC EB C9 44 FD FF C0 4B 83 B6 6E 94 15 6E D5 47 ÌëÉDý.ÀK?¶n?.nÕG
00000060 03 27 ED B5 DF 4B 72 C6 83 BE 46 03 0F D5 1A 39 .'íµßKrÆ?¾F..Õ.9
00000070 57 27 0A 70 D9 27 1A B4 B7 83 39 8B D5 9A 26 EB W'.pÙ'.´·?9?Õ?&ë
00000080 2B 48 13 49 AE 2F 5B AF D0 85 8C 43 3B 22 B2 F1 +H.I®/[¯Ð??C;"²ñ
00000090 4B 56 54 4B 89 51 EA E9 16 D7 24 6F 30 C7 B5 B1 KVTK?Qêé.×$o0ǵ±
000000A0 E4 AE 8C 16 DF 06 FD FF 6E 28 C5 1D A1 F8 78 AE ä®?.ß.ý.n(Å.¡øx®
000000B0 53 70 7E 80 24 69 22 92 06 A2 54 B8 BA B8 00 70 Sp~?$i"?.¢T¸º¸.p
000000C0 86 75 FE 54 BF 4D CD FB 2C F9 14 73 0B 89 F5 85 ?uþT¿MÍû,ù.s.?õ?
000000D0 7E B3 1C A9 F8 F9 77 E8 08 81 FD FF 11 5B 81 43 ~³.©øùwè.ý..[C
000000E0 A3 A9 0C 76 BC FB CE 7A 4D FE CB 67 C0 6E FD FF £©.v¼ûÎzMþËgÀný.
000000F0 8A AC FC 48 2C CC 25 2C D6 D1 0C 41 5B A2 63 BB ?¬üH,Ì%,ÖÑ.A[¢c»
00000100 C6 8D AF E9 FD F9 E9 42 43 AD 2F 44 CF D2 44 86 ƯéýùéBC/DÏÒD?
00000110 FD FF ý.
Anonymous
Apr 14th 2015
9 years ago