Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: You Too? "Unusual Activity with Double Base64 Encoding" SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
You Too? "Unusual Activity with Double Base64 Encoding"

Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.

I too see this activity on my honeypots (port 8080). Exactly the same. The very first hit is almost a year ago: December 30th 2018.

FYI: I'm using a simple honeypot I developed in Python.

Please post a comment if you see this activity too.

Didier Stevens
Senior handler
Microsoft MVP


553 Posts
ISC Handler
Nov 3rd 2019
I have noticed that these all come from ONE source IP, and the BS_Real_IP is always the same (that source IP and the SAME destination IP - - not the server's IP that is being sent the HTTP request). Furthermore the HTTP request is a HEAD and is an absolute URL - formatted for a PROXY - for The request also includes the Proxy-Keepalive header. The URL and the Host header match, and are for the same destination as the in the BB_REAL_IP. Furthermore, that server IP address accepts requests on that TCP port in the same format. Even HEAD or GET requests for other destinations. It also replies including a custom header (although no content) - BSType:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
BSType: 3
Content-Length: 0
Date: Tue, 05 Nov 2019 15:20:55 GMT

Not sure if this is some sort of probe for forward proxies, or some sort of C&C server. One vendor reports requests for this IP as cyclical, running for three days on approximately a ten day cycle. A continuous volume of requests spiked in April through May of this year (5 times the volume of requests vs the recent three day spikes).

Hope this helps - please post anything else that you find!


Sign Up for Free or Log In to start participating in the conversation!