Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hex Payload type attacks (?!) from specific IPs #544

Open
1 of 2 tasks
maxdd opened this issue Jan 1, 2024 · 2 comments
Open
1 of 2 tasks

Hex Payload type attacks (?!) from specific IPs #544

maxdd opened this issue Jan 1, 2024 · 2 comments
Assignees
@mitchellkrogza
Labels
Referrers / Domains

Comments

@maxdd
Copy link

maxdd commented Jan 1, 2024
edited

Paste the full Domain name / Referrer String here


62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABu\xA4\x95\xA8J\xE6\x8A\x80\xCE\xC3\xCF\xC6\x95\xCC\xC8\xC1\xABf\xE6\x93\xE8\xA0\x83-Dx\xE4\x9ES\x00\x00*\xC0,\xC0+\xC00\xC0/\x00\x9F\x00\x9E\xC0$\xC0#\xC0(\xC0'\xC0" 400 154 "-" "-"

172.233.57.47 - - [01/Jan/2024:08:50:47 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xB7\x95\xEB\xEE\xF5Gk\xD2E\xB2\x84\x05\xF2\x07\xE18\xCA\xBB\xB1\x8A,\xF7\x04\xBA\x1DI\xFE\x08(7#\xAD \xB3\x81/hN\x95\x1A.q\x7FI\xDBZRUU\xB5\x05\xDF!\x91\x1B\xF2\xB3e\xBE\x8Cl\x08\xB04R\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 154 "-" "-"

Is this for Addition / Removal?

  • Addition
  • Removal

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)


62.133.46.11 - - [01/Jan/2024:12:08:54 +0000] "GET / HTTP/1.1" 404 552 "http://xxx:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
62.133.46.11 - - [01/Jan/2024:12:08:54 +0000] "GET / HTTP/1.1" 404 552 "http://xxx:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABu\xA4\x95\xA8J\xE6\x8A\x80\xCE\xC3\xCF\xC6\x95\xCC\xC8\xC1\xABf\xE6\x93\xE8\xA0\x83-Dx\xE4\x9ES\x00\x00*\xC0,\xC0+\xC00\xC0/\x00\x9F\x00\x9E\xC0$\xC0#\xC0(\xC0'\xC0" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABv\xD5\x8B\x0C\xC8\x1DL;X\xE9\xB0\xCE\xDEf\x91" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:57 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABw\xB7\xB7\xBA*_" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:57 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABw\x9A\xEE\xA8@%c]\xE4xm" 400 154 "-" "-"

172.233.57.47 - - [01/Jan/2024:08:50:47 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xB7\x95\xEB\xEE\xF5Gk\xD2E\xB2\x84\x05\xF2\x07\xE18\xCA\xBB\xB1\x8A,\xF7\x04\xBA\x1DI\xFE\x08(7#\xAD \xB3\x81/hN\x95\x1A.q\x7FI\xDBZRUU\xB5\x05\xDF!\x91\x1B\xF2\xB3e\xBE\x8Cl\x08\xB04R\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 154 "-" "-"
172.233.57.47 - - [01/Jan/2024:08:50:51 +0000] "GET / HTTP/1.1" 404 122 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1)"

Additional information

Today I've received these two requests and i'm wondering what exactly that hex payload is. A rapid search of those two IPs shows some spamming/attacking activities
@mitchellkrogza
Copy link
Owner

I had a rule somewhere to grab these, I'll have a look if I can find it and if it is still doing the job

@maxdd
Copy link
Author

maxdd commented Apr 18, 2024
edited

ty for the feedback! Let me add more

159.223.225.251 - - [15/Apr/2024:01:51:54 +0000] "\x16\x03\x01\x00u\x01\x00\x00q\x03\x03\x13\x9F\xDE\xCB\x9E\x8D\x9B\x02\xCD=I$\x18\x07\x06G\x821\xFFkz\x8EO\xFE?!\xF9$\xF8\x9F\x22R\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
45.33.80.243 - - [15/Apr/2024:02:23:24 +0000] "\x16\x03\x01\x00\x85\x01\x00\x00\x81\x03\x03\xF6\xFE\xBD\x1C\xD1\xA9\xB5\x86;|\x13,\x89\xFE\xCC\x14 \x99\x04Mi\xDE\xA31\xEF\x11PT\xD9G\x1F\x1B\x00\x00 \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:15 +0000] "\x16\x03\x01\x01\x17\x01\x00\x01\x13\x03\x031cj,\x85@e\xD4\x9E\xDCBA\x0B\x22e\xF0\xD6\xE7q\xFFI\x9E\xFF\xE5\xB2\xB5\xAEA\xFFTfg \x5C\xFFd\xCD\xD8\xA3\xB8\xF4\xB6x\xA1\xCF\xE2\xDD\xD7I\xB5s\x01.\xB5\xE4!'\xCF%j\xAF\xC3I<M\x004\xCC\xA8\xCC\xA9\xC0/\xC00\xC0+\xC0,\xC0\x09\x00\x9E\xCC\xA8\xCC\xAA\x003\x00=\x00\x16\xC0" 400 154 "-" "-"

152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x00\x00\x00\xC7\x00\x00\x00\xC3{\x22code\x22:105,\x22extFields\x22:{\x22Signature\x22:\x22/u5P/wZUbhjanu4LM/UzEdo2u2I=\x22,\x22topic\x22:\x22TBW102\x22,\x22AccessKey\x22:\x22rocketmq2\x22},\x22flag\x22:0,\x22language\x22:\x22JAVA\x22,\x22opaque\x22:1,\x22serializeTypeCurrentRPC\x22:\x22JSON\x22,\x22version\x22:401}" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:37 +0000] "\x03\x00\x003.\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administrator" 400 154 "-" "-"
45.79.168.172 - - [15/Apr/2024:15:16:12 +0000] "\x00\x00\x00'\xFFSMBr\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0E\x00\x02NT LM 0.12\x00" 400 154 "-" "-"

image

Hopefully is not pegasus :D
The first 3 are TLS handshake (xz backdoor :D ? ), other are RDP vulnerabilities scan and samba login attempt.
I'm still looking into this so i might be wrong

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchellkrogza mitchellkrogza

Labels
Referrers / Domains
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxdd @mitchellkrogza