I'll be sure to keep you in the loop Red-Tail Books. If I were to take a
guess, I'd guess that hex value is the key to fully understanding this.
Wish I knew more about exploits and stuff. I remember similar things like
that when I was kid and used to play around with stuff like Metasploit. A
Wow Ken, Thanks for the thorough research. I just did a whois and
figured it wasn't an attack.
But being a complete rookie (no experience with linux or servers prior
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
and then I saw
Okay Red-Tail Books, I got more information for you! This is the latest
response I got:
"The malware is installed via a range of vulnerabilities including
social engineering. This scan is really testing for the malware's
rendezvous protocol for command and control. As a rule, we have been
info
I contacted one of the people involved with CESR and I have received a
response. This is what they say:
"Yes, this is a scan from our group. It is not in fact looking for
a vulnerability, but for a very specific infection. The scan is
harmless, but there is a very rare and stealthy piece of ma
I think I can shed a little light on this. I believe it has something to
do with exploits / vulnerabilities. I'm not sure what the hex values are,
but I'm guessing that's part of the exploit. I've tried searching for it
but couldn't find anything. Maybe the query is confusing the search
eng
Saw this in my access.log this morning...
169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
"^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
Can someone more knowledgeable explain what the "request" was and why it
was successful? And what 11k of data did apache serve?
Thanks
dave
