[SANS ISC] Things that go “Bump” in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th)

If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing:

t3 12.2.1

You may see a few variations of requests like that. For example “t3 12.1.1” is common as well. These requests are attempting to connect to WebLogic. WebLogic is able to accept data via HTTP (see Guy’s diary from this weekend for some example) or it may use the “t3” protocol. “t3” is one way to use “RMI” (Remote Method Invocation) via WebLogic. Due to a few criticial vulnerabilities in WebLogic in recent years, some of which may be exploited via “t3”, scans for “t3” are quite common.


Android Debug Bridge (ADB) is a protocol that can be used to remotely debug Android devices. Remember that Android is not only used for phones, but also on other devices in particular TV sticks. ADB hasn’t been enabled (or simply remotely usable) for many years, but the ability to exeucte arbitrary commands using this propocol is still attractive enough to lead to widespread scanning. I believe that the main target are TV sticks as they tend to be more difficult to update than phones.


SSH servers are always of interest. Some users appearantly “hide” them on ports more often used by web server. I got bad news for you: The bad guys figured you out. Hiding an ssh server on an off port worked years ago, and still keeps down the “Mirai” noise a bit. But please: use ssh keys, not passwords.

USER anonymous

Yes, there are still some people using FTP. The boomer file transfer protocol? Really not sure what attackers are hoping to find other than data that has probably already been leaked many many time. They could look for ways to stash some files? But I doubt there are many FTP servers left that have anonymous FTP upload enabled and still disk space left.


This is actually HTTP (likely), but over TLS. If an https request hits a non-TLS server, you will see the beginning of the client hello being logged. The first four bytes are often 0x16 0x03 0x01 (0x16 – Handshake 0x03,0x01 TLS Version 1.2). The fourth byte is a 0x00, terminating the string as far as logging is concerned. You may see various variations of this.

And finally, a few I have no idea what they attempt to achive. Maybe one of our readers can help?




Let me know if you have any ideas… or other odd non-http logs from your web servers.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] You can post LinkedIn jobs as ANY employer — so can attackers

Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. Now, that might be nothing new, the feature and lax verification on career websites pave the ways for attackers to post bogus listings for malicious purposes. […] Source: Read More (BleepingComputer)

Read More

Daily NCSC-FI news followup 2019-06-12

Kyberhyökkääjä iski Lahden kaupungin verkkoon haittaohjelma ehti saastuttaa tietokoneita yle.fi/uutiset/3-10827423 Lahden kaupungin verkkoon ja työasemiin kohdistui kyberhyökkäys tiistaina iltapäivällä. Hyökkäyksen seurauksena verkko kuormittui ja ohjelma ehti saastuttaa koneita. Haittaohjelma on tunnistettu, ja virustorjuntaohjelmisto eristää sen tartunnan saaneissa koneissa, , kertoo kaupunki tiedotteessaan. Operaattorin palomuureissa on havaittu haittaohjelmaan liittyviä yhteysavauksia ja verkkoliikennettä, joka on estetty.. Myös: […]

Read More

[ZDNet] Australian telco sector looking down the barrel of a prescribed security standard

All posts, ZDNet

Home Affairs will be looking to co-design a cyber standard with Australian telcos should the Critical Infrastructure Bill be passed. Source: Read More (Latest topics for ZDNet in Security)

Read More