shodan - user-agent, proxy, referer - Crawler, Spider, and User Agent ID forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

shodan - user-agent, proxy, referer

chr characters included in X_FORWARDED_FOR

dstiles

2:59 pm on Jun 11, 2016 (gmt 0)

Saw this yesterday and discovered I hadn't deliberately trapped it, though Windows trapped the proxy part on its own.

X_Forwaded_For:
148.33.76.24[CHR(0)]shodanscanprint(chr(49).chr(55).chr(73).chr(53).chr(51).chr(48).chr(86).chr(65).chr(117).chr(52));, 10.3.124.25

This is illegal syntax (should be only IPs, commas and spaces). Caught by Windows 12 server (returned 400 code) but not by some earlier Windows. No idea about Apache/linux.

User-Agent:
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.6) Gecko/20070817 IceWeasel/2.0.0.6-g3shodanscanprint(chr(49).chr(55).chr(73).chr(53).chr(51).chr(48).chr(86).chr(65).chr(117).chr(52));

Referer:
[google.com...]

The chr values as shown are: 1.7.I.5.3.0.V.A.u.4
No idea what they would do but no doubt some kind of exploit. :(

Source was a single IP in Russian hosting: 178.210.64.0 - 178.210.95.255

keyplyr

10:38 pm on Jun 11, 2016 (gmt 0)

Source was a single IP in Russian hosting: 178.210.64.0 - 178.210.95.255

Haven't seen this one, thanks
nic.ru hosting
178.210.64.0 - 178.210.95.255
178.210.64.0/20

lucy24

11:18 pm on Jun 11, 2016 (gmt 0)

This is illegal syntax (should be only IPs, commas and spaces).

Ah, good tip. My existing rule only specifies

X-Forwarded-For ^(unknown|\W)

although frankly I don't even understand how you can x-forward-for more than one IP at the same time, which manifestly does occur.

dstiles

4:43 pm on Jun 13, 2016 (gmt 0)

I had a similar trap failure: checking for IPs split on a comma without making sure all items WERE IPs.

> x-forward-for more than one IP

It's common for one of the IPs to be a local one - 192.168, 10 etc. Probably a firewall with a DMZ and proxy running through it. Other IPs could be introduced by THAT mechansim working via (eg) a google proxy, so that could make 3 IPs; 4 if the secondary proxy has a local IP involved.

That's my take on it, anyway. :)

lucy24

10:06 pm on Jun 13, 2016 (gmt 0)

:: rewind ::

X_Forwaded_For

Was that a posting typo, or the actual header name? I haven't met that form, but I have a global ban on
X-Fowarded-For [sic]
and a couple of other attested misspellings. (Also one correctly spelled header that I've never seen from anyone but a robot. Maybe it's something human browsers used in 1995.)

blend27

1:21 pm on Jun 14, 2016 (gmt 0)

I was watching our Sun Set when I got an email from my firewall - almost chocked on a cold one at that point.

WTF is X-Varnish header?

and X-PIPER-ID? Are we in Silicon Valey now?

dstiles

2:59 pm on Jun 15, 2016 (gmt 0)

Lucy - typo. Sorry. That's my internal version, since the software gets confused by hyphens.

Blend27 - isn't X-Varnish Polish and X_PIPER from the gates of dawn? :)