[Oisf-users] shellshock conundrum
Cooper F. Nelson
cnelson at ucsd.edu
Mon Sep 29 15:04:49 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is probably it. RFC2616 specifies CR LF as the line terminator,
while making a provision for a single LF only:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.3
So, this could be a deliberate attempt at protocol-aware IDP evasion or
simply sloppy engineering on the attackers part.
- -Coop
On 9/28/2014 8:14 PM, Russell Fulton wrote:
>
> 2014-09-26 18:13:10 61.160.224.130:56845 <- 130.216.190.19:80 3s 149 bytes RST 400 ASCII text, with no line terminators
> oid=1643-2685654208-149-0
>
> 400 Bad Request
> Connection: close
> Date: Fri, 26 Sep 2014 06:13:12 GMT
> Content-Length: 20
> Content-Type: text/html
> X-HTTP-Version: 1.1
>
> <h1>Bad Request</h1>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUKXURAAoJEKIFRYQsa8FWPLgH/19B7htL/AaHaFjG2DTAu3QS
jQa/Q89i140nqAtZECUJvqWMrvQjX//BxHVsPS+6LvcW+fmVaVQ0Qp2zWOh/ZEAA
6p6eONsgdpAKZQS3X5KEwFJYVqw0qtRNLJ94a3FL778AaSA+giM5TWptZlfj1ch2
RPMUg/Od6syekvPwFH8eOcqnQ0riB9FuH+Yqop5+6Hbh/bmBlloYzZpsyBqMZaSi
dGy6N6+qPz8epCLfy64cb5wgdtRDoE2+VTG4VzC2JH2asSmWOSKi7TBns0mziL1N
egsuci48r3b3DzWOi2r1JjbQXLSs0b9J2XMqXLM/A/BOfOREDF5X5O18E8McNUM=
=NjZD
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list