[SANS ISC] Things that go “Bump” in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th)

If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing:

t3 12.2.1

You may see a few variations of requests like that. For example “t3 12.1.1” is common as well. These requests are attempting to connect to WebLogic. WebLogic is able to accept data via HTTP (see Guy’s diary from this weekend for some example) or it may use the “t3” protocol. “t3” is one way to use “RMI” (Remote Method Invocation) via WebLogic. Due to a few criticial vulnerabilities in WebLogic in recent years, some of which may be exploited via “t3”, scans for “t3” are quite common.


Android Debug Bridge (ADB) is a protocol that can be used to remotely debug Android devices. Remember that Android is not only used for phones, but also on other devices in particular TV sticks. ADB hasn’t been enabled (or simply remotely usable) for many years, but the ability to exeucte arbitrary commands using this propocol is still attractive enough to lead to widespread scanning. I believe that the main target are TV sticks as they tend to be more difficult to update than phones.


SSH servers are always of interest. Some users appearantly “hide” them on ports more often used by web server. I got bad news for you: The bad guys figured you out. Hiding an ssh server on an off port worked years ago, and still keeps down the “Mirai” noise a bit. But please: use ssh keys, not passwords.

USER anonymous

Yes, there are still some people using FTP. The boomer file transfer protocol? Really not sure what attackers are hoping to find other than data that has probably already been leaked many many time. They could look for ways to stash some files? But I doubt there are many FTP servers left that have anonymous FTP upload enabled and still disk space left.


This is actually HTTP (likely), but over TLS. If an https request hits a non-TLS server, you will see the beginning of the client hello being logged. The first four bytes are often 0x16 0x03 0x01 (0x16 – Handshake 0x03,0x01 TLS Version 1.2). The fourth byte is a 0x00, terminating the string as far as logging is concerned. You may see various variations of this.

And finally, a few I have no idea what they attempt to achive. Maybe one of our readers can help?




Let me know if you have any ideas… or other odd non-http logs from your web servers.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] Only 50% of WA government entities get a pass mark for infosec

All posts, ZDNet

The state’s auditor-general is having her audits fall on deaf ears, with 42% of the WA government entities probed not addressing her previous findings and continuing to allow weaknesses on their IT systems. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] BASE85 Decoding With base64dump.py, (Sat, Jul 17th)

All posts, Sans-ISC

Xavier’s diary entry “Multiple BaseXX Obfuscations” covers a malicious script that is encoded with different “base” encodings. Xavier starts with my tool base64dump.py, but he can not do the full decoding with base64dump, as it does not support BASE85. I’ve now added support for BASE85: base64dump.py version (you can watch this video: “Adding BASE85 […]

Read More

[ZDNet] Telstra’s biggest cyber worry is businesses with basic single vendor environments

All posts, ZDNet

One of Telstra’s business partners with limited IT infrastructure suffered a cyber attack that the telco explained potentially put its customers at risk. Source: Read More (Latest topics for ZDNet in Security)

Read More