My next class:

What is this "/smoke/" about?

Published: 2016-03-16. Last Updated: 2016-03-16 04:26:30 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I am currently seeing a lot of requests against my honeypot like the following:

----------
POST /smoke/ 1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: [server ip address]
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

#nhDMzQ1lB3v5i'K^MiUE]Fzt @
z3@

----------------------

The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part).

Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL.

Here are a couple more requests to show the variability in User-Agent and body:

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 102
Host: [ip adresss]

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [ip address]


~F@975t?{jB r8xfj9hP;)i2Y?[x;q!1V
l

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [server ip address]

g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
6 comment(s)
My next class:

Comments

Mozilla Devs sometimes run smoke test on the application, simply for testing purposes. Not sure why they're sending this out to everyone, but do you happen to have Firefox or thunderbird installed?
Possibly an application-layer DDoS attack. Malformed request plus pragma no-cache.
It might have something to do with this. Smoke is a forms validator.

http://alfredobarron.github.io/smoke/#/getting-started
Thanks for the comments! The DDoS idea, maybe using the Mozilla Dev tool is interesting. These requests are from a honeypot. So I don't think it is "legit" testing. They also come from a large number of different IPs.
Not sure it is related or not, but found this on a website that talks about "smoke".

http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html
https://github.com/xebialabs-community/xld-smoke-test-plugin

Diary Archives