71

I currently run an Apache HTTP server, and have set up monitoring to receive emails whenever an error appears in the error logs. I get the usual trying to find if I'm using HTTP 1.0 and trying to see if I'm using off the shelf software like WordPress that can be exploited.

Over the weekend I saw a new entry in my error logs and was wondering what the potential exploiter was trying to do (Abcdef is i'm guessing the exploiters handle (I have changed)):

:[DATE] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request HEAD towards the green fields outside. Watch the goats chewing the grass. What is the meaning of life? Life isn't about getting to the end. Goats know this. You should know too. Goats are wise. Goats are cute. Listen to them! This is the message. Love goats, love the Internet! \xf0\x9f\x90\x90 Abcdef. HTTP/1.0

Now apart from obviously telling me about their love for goats, can anyone determine was the aim of this request was. I tried to google part of the string.. and just ended up with results about goats!

I guess that the idea was to provide a URI which would cause an overflow resulting in something do with the unicode at the end, but am unsure.

NOTE I have made the giant assumption that the request did have nefarious means due to the chars at the end of the request, hence posting in Security rather than Server Fault.

Stephen Ostermiller
  • 483
  • 1
  • 5
  • 13
Crazy Dino
  • 1,517
  • 11
  • 12
  • Show us "REDACTED." Looks like a potential buffer overflow attack, but since you redacted the rest, I can't tell. – Mark Buffalo Feb 08 '16 at 13:25
  • 30
    See [30 Million Web Server Logs Invaded with Poetry](http://news.softpedia.com/news/30-million-web-server-logs-invaded-with-poetry-498500.shtml) for a more detailed description whats going on here. – Steffen Ullrich Feb 08 '16 at 15:49
  • 1
    I found this on google: https://css-tricks.com/forums/topic/lol-server-log/ – Random832 Feb 08 '16 at 18:48
  • 3
    I suspect that the aim of this request is to make someone anonymously famous by posting their confusing HTTP request to Stack Exchange. – Todd Wilcox Feb 08 '16 at 22:27
  • 31
    I've goat to say, this is the most amusing attempt to bleat a security system I've ever seen. Kids these days, I tell ya... – corsiKa Feb 08 '16 at 22:29
  • 1
    Is the client IP address associated with an IT security conference? – kasperd Feb 09 '16 at 09:37
  • Nope. All I can find is it's a IP address based in Hungary, assigned to a telecoms company, so maybe someones home broadband? – Crazy Dino Feb 09 '16 at 14:08
  • Just curious, are there questions on Server Fault about weird invalid HTTP requests? – Michael Feb 09 '16 at 18:48

3 Answers3

55

I don't know what the REDACTED part consisted of, but I can tell you that the bytes \xf0\x9f\x90\x90 correspond to a picture of a goat in UTF-8:

Here it is:

Note: On a whim, I also looked up the Intel opcodes corresponding to these byte values. They don't do anything interesting at all — 0x90 is NOP (does nothing), 0x9f is LAHF (load FLAGS into AH register), and 0xf0 is LOCK (which will raise an illegal instruction error when followed by LAHF).

r3mainer
  • 875
  • 7
  • 10
  • 14
    I redacted it myself when I posted, appeared to be a handle of some description. So it appears they just really loved goats and wanted to spread the message. – Crazy Dino Feb 08 '16 at 13:20
  • If the exception is thrown and the "attacker" can see it, they he knows how to hit on that poor server. Hopefully, no server has such a huge hole... (It would be awful if a server allowed remote code execution from a HEAD request). Can I keep my tinfoil hat? – Ismael Miguel Feb 09 '16 at 18:49
34

This looks similar to the poetry that was being sent out at the Chaos Communications Congress in Hamburg. In particular, it starts using the HEAD as part of the poetry (the example below uses DELETE to start the line).

https://nakedsecurity.sophos.com/2016/01/07/millions-of-servers-infected-with-poem-inviting-them-to-jump-in-the-river/

nyxgeek
  • 1,297
  • 10
  • 22
4

Just found the same request in my access.log with this url :

http://massgoat4u.megabrutal.com/

What's this?

Being inspired by #masspoem4u, I try to repeat what they did: to distribute a unique HTTP request to all IPv4 addresses around the globe.

How did you do this?

I use a slightly modified version of Robert Graham's masscan, just like the masspoem4u guys did at CCC. However, I don't have such a fast network as theirs, so my scan will approximately take a week to go through. You can find an interesting article of masscan here.

Does it do any harm?

Of course not. It is totally harmless. The only thing you should perceive is the message in your HTTP log. Since one IP gets only one request, and the order of probes are randomized, it does not drain your resources and does not overload your network.

Didn't notice anything else unusual except a request from another IP adress containing other UTF-8 bytes but it may be unrelated.

[XXX.XXX.XXX.XXX] - - [DATE] "\xad\x17\x15\xd2\xf0\xa2y\xec\xc9\xe6\xe2\xe2\xd1\"\xb1\"\x88\x82Ojo\xb8Q\xa0r\xd5\xfe\xe5E\x9a\x01\xfcf\x18\xff\x9d\x05\x1dh\xa1\xc61\xea;\x04F\x8b\xb1SgEhGk\x86&\x93b<O" 200 11899 "-" "-"

Community
  • 1
Superslinky
  • 41
  • 4