I am currently seeing a lot of requests against my honeypot like the following: ---------- POST /smoke/ 1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2) Host: [server ip address] Content-Length: 72 Connection: Keep-Alive Cache-Control: no-cache #nhDMzQ1lB3v5i'K^MiUE]Fzt @ z3@ ---------------------- The payload is "random", and note the missing "HTTP" part in the protocol version. (but not all requests are missing that part). Any idea what this could be about? I can't find any specific tool associated with the "smoke" URL. Here are a couple more requests to show the variability in User-Agent and body: POST /smoke/ HTTP/1.1 POST /smoke/ HTTP/1.1
POST /smoke/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Length: 102 Host: [server ip address] g~D{./cANBa(<@AE8{3*WtDr;0'I_/ otqVC tE_
--- |
Johannes 4473 Posts ISC Handler Mar 16th 2016 |
Thread locked Subscribe |
Mar 16th 2016 6 years ago |
Mozilla Devs sometimes run smoke test on the application, simply for testing purposes. Not sure why they're sending this out to everyone, but do you happen to have Firefox or thunderbird installed?
|
Anonymous |
Quote |
Mar 16th 2016 6 years ago |
Possibly an application-layer DDoS attack. Malformed request plus pragma no-cache.
|
Roland Dobbins 7 Posts |
Quote |
Mar 16th 2016 6 years ago |
It might have something to do with this. Smoke is a forms validator.
http://alfredobarron.github.io/smoke/#/getting-started |
KG 1 Posts |
Quote |
Mar 16th 2016 6 years ago |
Thanks for the comments! The DDoS idea, maybe using the Mozilla Dev tool is interesting. These requests are from a honeypot. So I don't think it is "legit" testing. They also come from a large number of different IPs.
|
Johannes 4473 Posts ISC Handler |
Quote |
Mar 16th 2016 6 years ago |
Not sure it is related or not, but found this on a website that talks about "smoke".
http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html |
Johannes 1 Posts |
Quote |
Mar 16th 2016 6 years ago |
https://github.com/xebialabs-community/xld-smoke-test-plugin
|
Johannes 1 Posts |
Quote |
Mar 16th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!