Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: You Too? "Unusual Activity with Double Base64 Encoding" SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
You Too? "Unusual Activity with Double Base64 Encoding"

Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.

I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018.

FYI: I'm using a simple honeypot I developed in Python.

Please post a comment if you see this activity too.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

398 Posts
ISC Handler
I have noticed that these all come from ONE source IP, and the BS_Real_IP is always the same (that source IP and the SAME destination IP - 112.124.42.80 - not the server's IP that is being sent the HTTP request). Furthermore the HTTP request is a HEAD and is an absolute URL - formatted for a PROXY - for 112.124.42.80:63435. The request also includes the Proxy-Keepalive header. The URL and the Host header match, and are for the same destination as the in the BB_REAL_IP. Furthermore, that server IP address accepts requests on that TCP port in the same format. Even HEAD or GET requests for other destinations. It also replies including a custom header (although no content) - BSType:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
BSType: 3
Content-Length: 0
Date: Tue, 05 Nov 2019 15:20:55 GMT


Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes).

Hope this helps - please post anything else that you find!

Mike
Anonymous

Sign Up for Free or Log In to start participating in the conversation!