Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is this "/smoke/" about?

I am currently seeing a lot of requests against my honeypot like the following:

----------
POST /smoke/ 1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: [server ip address]
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

#nhDMzQ1lB3v5i'K^MiUE]Fzt @
z3@

----------------------

The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part).

Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL.

Here are a couple more requests to show the variability in User-Agent and body:

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 102
Host: [ip adresss]

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [ip address]


~F@975t?{jB r8xfj9hP;)i2Y?[x;q!1V
l

POST /smoke/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 102
Host: [server ip address]

g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

 Johannes

4352 Posts
ISC Handler
Mar 16th 2016
Thread locked Subscribe Mar 16th 2016
5 years ago
Mozilla Devs sometimes run smoke test on the application, simply for testing purposes. Not sure why they're sending this out to everyone, but do you happen to have Firefox or thunderbird installed?
 Anonymous
Quote Mar 16th 2016
5 years ago
Possibly an application-layer DDoS attack. Malformed request plus pragma no-cache.
 Roland Dobbins

7 Posts
Quote Mar 16th 2016
5 years ago
It might have something to do with this. Smoke is a forms validator.

http://alfredobarron.github.io/smoke/#/getting-started
 KG

1 Posts
Quote Mar 16th 2016
5 years ago
Thanks for the comments! The DDoS idea, maybe using the Mozilla Dev tool is interesting. These requests are from a honeypot. So I don't think it is "legit" testing. They also come from a large number of different IPs.
 Johannes

4352 Posts
ISC Handler
Quote Mar 16th 2016
5 years ago
Not sure it is related or not, but found this on a website that talks about "smoke".

http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html
 Johannes
1 Posts
Quote Mar 16th 2016
5 years ago
https://github.com/xebialabs-community/xld-smoke-test-plugin
 Johannes
1 Posts
Quote Mar 16th 2016
5 years ago

Sign Up for Free or Log In to start participating in the conversation!